AUTHENTICATED , 
U.S. GOVERNMENT ^ 
INFORMATION ' 


S. Hrg. 109-1087 

IDENTITY THEFT AND DATA BROKER SERVICES 


HEARING 

BEFORE THE 

COMMITTEE ON COMMERCE, 
SCIENCE, AND TRANSPORTATION 
UNITED STATES SENATE 

ONE HUNDRED NINTH CONGRESS 

FIRST SESSION 


MAY 10, 2005 


Printed for the use of the Committee on Commerce, Science, and Transportation 



61-787 PDF 


U.S. GOVERNMENT PRINTING OFFICE 
WASHINGTON : 2010 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512—1800; DC area (202) 512-1800 
Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 


SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION 
ONE HUNDRED NINTH CONGRESS 
FIRST SESSION 


TED STEVENS, Alaska, Chairman 


JOHN McCAIN, Arizona 
CONRAD BURNS, Montana 
TRENT LOTT, Mississippi 
KAY BAILEY HUTCHISON, Texas 
OLYMPIA J. SNOWE, Maine 
GORDON H. SMITH, Oregon 
JOHN ENSIGN, Nevada 
GEORGE ALLEN, Virginia 
JOHN E. SUNUNU, New Hampshire 
JIM DeMINT, South Carolina 
DAVID VITTER, Louisiana 


DANIEL K. INOUYE, Hawaii, Co-Chairman 
JOHN D. ROCKEFELLER IV, West Virginia 
JOHN F. KERRY, Massachusetts 
BYRON L. DORGAN, North Dakota 
BARBARA BOXER, California 
BILL NELSON, Florida 
MARIA CANTWELL, Washington 
FRANK R. LAUTENBERG, New Jersey 
E. BENJAMIN NELSON, Nebraska 
MARK PRYOR, Arkansas 


Lisa J. Sutherland, Republican Staff Director 
Christine Drager Kurth, Republican Deputy Staff Director 
David Russell, Republican Chief Counsel 
Margaret L. Cummisky, Democratic Staff Director and Chief Counsel 
Samuel E. Whitehorn, Democratic Deputy Staff Director and General Counsel 
Lila Harper Helms, Democratic Policy Director 


(II) 



CONTENTS 


Page 

Hearing held on May 10, 2005 1 

Statement of Senator Dorgan 25 

Statement of Senator Inouye 1 

Prepared statement 2 

Statement of Senator Kerry 38 

Statement of Senator Lautenberg 3 

Prepared statement 3 

Statement of Senator Bill Nelson 2 

Statement of Senator Pryor 27 

Statement of Senator Smith 5 

Chart, 2005 Data Security Incidents 32 

Prepared statement of Senator McCain 32 

Statement of Senator Stevens 1 

Statement of Senator Vitter 6 

Witnesses 

Barrett, Jennifer T., Chief Privacy Officer, Acxiom Corporation 46 

Prepared statement 48 

Curling, Douglas C., President/Chief Operating Officer, ChoicePoint® Inc 12 

Prepared statement 15 

Frank, Esq., Mari J., Attorney, Mari J. Frank, Esq. & Associates 68 

Prepared statement 73 

Kurtz, Paul B., Executive Director, Cyber Security Industry Alliance (CSIA) .. 53 

Prepared statement 55 

Rotenberg, Marc, President/Executive Director, Electronic Privacy Informa- 
tion Center (EPIC) 58 

Prepared statement 60 

Sanford, Kurt P., President/CEO, U.S. Corporate and Federal Government 

Markets, LexisNexis 6 

Prepared statement 8 

Appendix 

Dempsey, James X., Executive Director, Center for Democracy & Technology, 

statement before the Senate Committee on the Judiciary, April 13, 2005 107 

Hillebrand, Gail, Senior Attorney, Consumers Union, prepared statement 99 

Ireland, Oliver I., Attorney, Morrison & Foerster LLP; on behalf of Visa 
U.S.A. Inc., statement before the Subcommittee on Commerce, Trade, and 
Consumer Protection of the Committee on Energy and Commerce, United 

States House of Representatives, May 11, 2005 114 

Response to written questions submitted by Hon. Daniel K. Inouye to 

Paul B. Kurtz 116 

Response to written questions submitted by Hon. Bill Nelson to: 

Jennifer T. Barrett 118 

Kurt P. Sanford 121 


(III) 




IDENTITY THEFT AND DATA BROKER 
SERVICES 


TUESDAY, MAY 10, 2005 

U.S. Senate, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

The Committee met, pursuant to notice, at 2:30 p.m. in room 
SR-253, Russell Senate Office Building, Hon. Ted Stevens, 
Chairman of the Committee, presiding. 

OPENING STATEMENT OF HON. TED STEVENS, 

U.S. SENATOR FROM ALASKA 

The Chairman. Mr. Sanford, Mr. Curling, let me welcome you, 
gentlemen. And I thank the witnesses for coming, and appreciate 
their willingness to appear to discuss the recent data breaches that 
left exposed the personal information of thousands of consumers. 
Over the recess, my staff attempted to steal my identity, and I re- 
gret to say they were successful. So, they demonstrated to me, 
when I came back from this recess, just how easy it really is to 
steal an identity. 

This is the first of several hearings that our committee is going 
to conduct to have a better understanding of data brokerage serv- 
ices, as well as how data brokers handle personal consumer infor- 
mation. 

This hearing is intended to discuss the recent data breaches and 
what the private industry is doing to mitigate the possibility of fu- 
ture breaches. The Committee will revisit this issue next month as 
we look to develop legislative solutions that might better protect 
consumers from future breaches. 

We believe we must be careful to strike a balance between assur- 
ing the security of certain types of personal information, while not 
inhibiting the legitimate flow of information that is vital to our 
economy. 

Now, it’s my intention to turn the chair over to Senator Smith 
when he arrives, Senator. I’ve got a conflict today. But let me yield 
to my Co-Chairman, Senator Inouye. 

STATEMENT OF HON. DANIEL K. INOUYE, 

U.S. SENATOR FROM HAWAII 

Senator Inouye. I thank you very much, Mr. Chairman. 

I agree with your words. And I’d like to point out that, since Jan- 
uary, there have been at least 32 major data security incidents po- 
tentially affecting 5.2 million Americans. These incidents only came 
to light because of a California law that requires disclosure of data 
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security breaches. No one knows how many undisclosed breaches 
may have occurred prior to the implementation of the California 
law. And equally disturbing is the possibility that the full impact 
of these breaches may never be known, and millions of Americans 
remain unaware of their vulnerability to identity theft. 

So, I look forward to hearing from the witnesses, and I thank 
them for appearing. And I ask that my full statement be made part 
of the record. 

The Chairman. Your statement will be made part of the record, 
and all the statements that the Senators have. 

[The prepared statement of Senator Inouye follows:] 

Prepared Statement of Hon. Daniel K. Inouye, U.S. Senator from Hawaii 

I thank Chairman Stevens and Chairman Smith for holding a hearing today on 
this important issue of data brokers. 

Since January, there have been at least 32 major data security incidents poten- 
tially affecting 5.2 million Americans. And those are just the data breaches we know 
about due to the disclosure law in the State of California. There are many more that 
have not been made public. 

The identity theft that results from these data breaches can wreak havoc on the 
lives of consumers — weathly and poor — for many years. 

Recognizing the risks of computerizing personal data, Congress, in 1970, passed 
the Fair Credit Reporting Act. The FCRA requires credit reporting agencies to pro- 
tect consumer information, and use it only for limited purposes. These agencies also 
are responsible for vetting their customers. 

Data brokers are now collecting different sensitive, personal information, yet their 
operations are not governed by any Federal law, and only one State law. 

We will hear today from the largest data brokers about the steps they are taking 
to better secure their data, and to properly vet their customers. We applaud you for 
taking those steps. But I am worried more about the hundreds of smaller data bro- 
kers who have no incentive to change their ways since there is no law governing 
their behavior. 

Almost every American — including this Senator — has their personal information 
stored in these databases whether we like it or not. This committee is responsible 
for making sure that this sensitive, personal information is not used for identity 
fraud that can ruin any family’s financial future. We look forward to our witnesses 
helping us reach this goal. 

The Chairman. Senator, do you have a statement? 

STATEMENT OF HON. BILL NELSON, 

U.S. SENATOR FROM FLORIDA 

Senator Bill Nelson. Yes, sir, I do, Mr. Chairman, because one 
of the vehicles in front of the Committee is a bill that — two bills 
that I have filed, one with Senator Schumer that’s more of a com- 
prehensive package. 

As I have met with identity victims, Mr. Chairman, one of the 
great parts of frustration for them is, once their identity is stolen, 
they don’t know where to go to get it back. They go to local law 
enforcement; they send them to somebody at the State. The State 
sends somebody to the Federal. The reason my two bills have been 
referred here is that my solution to that is using the FTC as the 
repository, first of all, to give them some teeth in the law in which 
to regulate information brokers who heretofore have not been regu- 
lated as information brokers, and, second, to have a place where 
the consumer can go — one place, one-stop shopping — in order to get 
their identity back. And so, in the legislation, we create the Office 
of Identity Theft in our legislation, within the FTC, that creates 
that one-stop shopping. 
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And our legislation would mandate that the companies must rea- 
sonably protect this consumer information that is now collected on 
billions of bits of information on virtually every one of us in Amer- 
ica, and, as a result of what we’ve seen happen thus far, if we don’t 
do something about this, Mr. Chairman, none of us are going to 
have any identity left. It’s going to require the companies — these 
are the information brokers — to notify consumers when a security 
breach occurs. And the only reason that we know about this, Mr. 
Chairman Stevens, is the fact that there is a California State stat- 
ute that requires just that; otherwise, we wouldn’t have known 
about this. It’s going to tighten the commercial usage of Social Se- 
curity numbers, and it’s going to create an Assistant Secretary of 
Cybersecurity within the Department of Homeland Security. 

And so, I’m really looking forward to the discussion today about 
these ideas. 

Thank you, Mr. Chairman. 

The Chairman. Senator Lautenberg? 

STATEMENT OF HON. FRANK R. LAUTENBERG, 

U.S. SENATOR FROM NEW JERSEY 

Senator Lautenberg. Yes, Mr. Chairman, I ask consent that my 
full statement be included in the record. 

But I do want to say a few things. 

And before I came here, I was CEO of a company called ADP, 
and — I was one of the founders of that company — and we were ter- 
ribly conscious of the records that we had, because, through our 
company, we pay one out of six workers in the American private- 
sector labor market. One out of six are paid through the ADP com- 
pany. And I thought our principal obligation, Mr. Chairman, was 
the protection of the identity of those people. And there is a treas- 
ure trove there that could be sold. We refused to do it, but — that 
wasn’t our business, anyway — but this now has become such a 
problem, and I congratulate Senator Nelson for his initiative here, 
to try and get something done. 

But when you look at the numbers of identity — the people who 
are affected by identity theft, it’s staggering — 2002, 404,000 people 
reported identify-theft complaints; in 2004, just 2 years later, the 
number climbed by more than 230,000 more people who were ex- 
posed to identity theft. 

So, Mr. Chairman, I congratulate you for moving the agenda 
here on matters of great importance. 

[The prepared statement of Senator Lautenberg follows:] 

Prepared Statement of Hon. Frank R. Lautenberg, 

U.S. Senator from New Jersey 

Mr. Chairman, thank you for holding this important hearing on the “data broker- 
age” industry, and the role and responsibilities of firms that compile, store, and sell 
sensitive, personal information. 

The recent security breaches at the Nation’s largest data brokerage firms have 
left millions of Americans increasingly vulnerable to identity theft and scams. Over- 
all, some 10 million Americans were victimized by identity thieves last year. 

Mr. Chairman, before I ran for the Senate, I was a Co-Founder and CEO of a com- 
pany called ADP, or Automatic Data Processing, which processes payrolls and main- 
tains personnel records, and currently pays one out of every six private-sector work- 
ers in the United States. 
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Throughout my years at ADP, we always recognized our obligation to maintain 
the confidentiality of the information that was entrusted to us. So I am extremely 
concerned about the security breaches and management failures that have recently 
exposed sensitive, personal information about millions of Americans. 

In the wrong hands, this data about an individual can be used to ruin that per- 
son’s credit rating . . . their finances . . . and even their good name. 

In the past, personal information on individuals was available, but it was stored 
in multiple locations and often only on paper. It took significant effort to accumulate 
the information necessary to damage the credit or identity of a person. 

Today, however, technology permits faster and consolidated access to personal 
data in fewer databases. Collecting and selling personal information is a big busi- 
ness — but no matter how big it becomes, it must never overshadow the rights of the 
American people. Their privacy should never be compromised or neglected. 

Victims of identity theft often spend years of their precious time, and large 
amounts of their hard-earned money, to repair their financial records and credit his- 
tory. In some cases, job opportunities are lost and loans are refused. In 2002, there 
were just under 404,000 reported identity theft complaints nationwide. In 2004, that 
number climbed to 635,000. 

Mr. Chairman, our laws must ensure that companies protect personal information 
with great care. I look forward to hearing from our two panels today. 

Thank you, Mr. Chairman. 

Senator Lautenberg. And, if I may indulge the Committee just 
one half-minute more, today is the last day for Rudy Brioche, who’s 
been with me for these couple of years. Rudy is leaving me to go 
work for the FCC. And so, this is his last hearing, and I want to 
publicly thank him for his wonderful work for all of us. 

The Chairman. We wish him well. We’ll keep him busy. 

[Laughter.] 

The Chairman. Let me just say, turning the hearing over to Sen- 
ator Smith, I was surprised when my staff presented me the infor- 
mation they got from a series of places. For $65, they were told 
they could get my Social Security number. I don’t know if you’ve 
done this, but in the report that they got on me, I found my daugh- 
ter’s rental property in California and some of my son’s activities. 
And he’s, unfortunately, a junior out in California. I also found that 
there are probably two or three other people in this community 
right here that have the same basic name, Theodore F. Stevens; 
they’re not all the same middle name. It’s been suggested that I 
should change my name, and use my middle name now if I want 
to maintain my own identity. 

I think this is a very serious thing, and we want to hear from 
you all. As I said, Senator Smith, this is just the first of a series 
of hearings. I do think we’ve got several bills now that have been 
introduced into Congress to address this, and it’s going to be a very 
difficult thing for us to handle. 

So, we’re not going to handle it on the basis of listening sessions, 
like this one, because basic information is going to come from peo- 
ple like the witnesses who are where today. Again, I thank them 
very much for being willing to join us. 

Senator Smith, it’s your Chair. 

Senator Bill Nelson. Mr. Chairman, could I just add one thing 
to what Senator Stevens has said? This card that each one of us 
has, which is Bank of America, and it is the Senate travel card, the 
records are missing on 60 Senators. I am one of them. Now, we 
hope that this information is not stolen, but the records of over a 
million people, of which 60 United States Senators are included 
within that, those records are missing. If they are in the wrong 
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hands, then, because they have the information on that card, 
they’ve got all of our Social Security numbers, and they’ve got de- 
tailed financial information. And this is, increasingly, what we’re 
going to be facing. 

The Chairman. Well, I’m embarrassed to say, Senator, my staff 
doesn’t trust me with that card. 

[Laughter.] 

The Chairman. Senator? 

Voice: Zero balance. 

[Laughter.] 

STATEMENT OF HON. GORDON H. SMITH, 

U.S. SENATOR FROM OREGON 

Senator Smith, [presiding] Well, thank you, Mr. Chairman. And 
I know you have another responsibility at some point, and I’m 
happy to sit in your stead. 

But I think this is a very, very important hearing, as all of my 
colleagues have indicated, and I read, with horror, that the FTC is 
reporting that over ten million Americans are victimized by iden- 
tity thieves every year. These numbers translate into losses of over 
$55 billion per year, averaging over $10,000 stolen per fraudulent 
incident. In 2005, alone, there were at least 35 known incidents of 
data breaches potentially affecting over five million individuals. My 
State of Oregon ranks ninth in the Nation for fraud complaints and 
identity theft. 

So, today’s hearing will focus on recent data-broker services and 
their relationship to identity-theft enforcement. Although this hear- 
ing will not focus on any particular legislative proposal, the Com- 
mittee, as the Chairman has noted, will hold subsequent hearings 
with the FTC to discuss legislative solutions that we need to pur- 
sue on identify theft. 

At this hearing, the Committee will examine data-broker serv- 
ices, the recent data breaches, and the treatment of data brokers 
under existing Federal privacy laws. Specifically, we will have the 
chance to better understand the recent security breaches at 
ChoicePoint and LexisNexis and how the information industry has 
responded to prevent future breaches. We’ll also explore public and 
private solutions to detect and prevent identity theft and fraud, 
and ensure that personal information is secure and protected from 
those who attempt to perpetrate these crimes. 

Protecting sensitive information is an issue of great importance 
for all Americans, and this issue does not register Democrat or Re- 
publican. Consumers should have confidence, when they share 
their information with others, that their information will be pro- 
tected. At the same time, the ability of legitimate companies to ac- 
cess personal information certainly does facilitate commerce and 
continues to benefit consumers. Data-broker companies perform im- 
portant commercial and public functions through their ability to 
quickly and securely access consumer data. 

Now, we look forward to working with all our colleagues in com- 
ing up with legislative solutions to this problem. We need to make 
sure that this legislation strikes the right balance to ensure the 
continued existence of critical services while ensuring the security 
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of personal information to prevent its misuse and subsequent 
breaches. 

We’ve been joined by Senator Vitter on this Committee, and, 
Senator, if you have an opening statement, we’ll hear from you be- 
fore we go to our witnesses. 

STATEMENT OF HON. DAVID VITTER, 

U.S. SENATOR FROM LOUISIANA 

Senator Vitter. Mr. Chairman, I don’t have an opening state- 
ment. Thank you, Chairman Stevens, for leading this matter. It’s, 
unfortunately, a very legitimate area of growing concern because of 
these recent breaches and because of the phenomenon across the 
country. So, thank you for your, Senator Stevens, and others’ lead- 
ership. 

Senator Smith. Thank you, Senator Vitter. 

We will, now hear first from Mr. Kurt Sanford, President and 
Chief Executive Office of U.S. Corporate and Federal Government 
Markets, LexisNexis, from Miamisburg, Ohio. 

Thank you, Mr. Sanford. The mike is yours. 

STATEMENT OF KURT P. SANFORD, PRESIDENT/CEO, U.S. 

CORPORATE AND FEDERAL GOVERNMENT MARKETS, 

LexisNexis 

Mr. Sanford. Chairman Stevens, Senator Inouye, Senator 
Smith, and distinguished members of the Committee, good after- 
noon. My name is Kurt Sanford. I am the President and Chief Ex- 
ecutive Officer for Corporate and Federal Markets at LexisNexis. 
I appreciate the opportunity to be here today to discuss the impor- 
tant issues surrounding identity theft, fraud, and data security. 

LexisNexis is a leading provider of authoritative legal public 
records and business information, playing a vital role in supporting 
government, law enforcement, and business customers who use our 
information services for important uses, including detecting and 
preventing identity theft and fraud, locating suspects, and finding 
missing children. 

One of the important uses of our products and services provided 
by LexisNexis is to detect and prevent identity theft and fraud. The 
FTC has indicated that the total cost of identity fraud for busi- 
nesses and individuals is approximately $50 billion per year. In 
2004, 9.3 million consumers were victimized by identity fraud. 

Until recently, it was not fully appreciated that identity theft is 
part of a larger problem of identity fraud. Identity fraud is the use 
of false identifiers, fraudulent documents, or a stolen identity in 
the commission of a crime. Both industry and government have 
asked LexisNexis to develop solutions to help address this evolving 
problem. 

Financial institutions, online retailers, and other businesses have 
turned to LexisNexis to help them detect and prevent identity theft 
and fraud. With the use of LexisNexis, a major bank-card issuer 
experienced a 77 percent reduction in the dollar losses due to fraud 
associated with identity theft. Our products are becoming increas- 
ingly necessary to combat identity fraud associated with Internet 
transactions, where high-dollar merchandise, such as computers 
and other electronics, are sold via credit card. Lower fraud costs to 
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businesses ultimately mean lower cost and greater efficiencies for 
consumers. 

While we work hard to provide our customers with effective prod- 
ucts, we also recognize the importance of protecting the privacy of 
the consumer information in our databases. We have privacy poli- 
cies, practices, and procedures in place to protect this information. 
Our Chief Privacy Officer and Privacy Policy Review Board work 
together to ensure that LexisNexis has strong policies to help safe- 
guard consumer privacy. 

We also have multilayer security processes and procedures in 
place to protect our systems and the information contained in our 
databases. Maintaining security is not a static process; it requires 
continuously evaluating and adjusting our security procedures to 
address the new threats we face every day. 

Even with these safeguards, we discovered, earlier this year, 
some security incidents at our Seisint business, which we acquired 
last September. In February 2005, a LexisNexis integration team 
became aware of some billing irregularities and unusual usage pat- 
terns with several customer accounts. Upon further investigation, 
we discovered that unauthorized persons using IDs and passwords 
of legitimate Seisint customers may have accessed personally iden- 
tifying information such as Social security numbers and driver’s li- 
cense numbers. No personal financial, credit, or medical informa- 
tion was involved, since LexisNexis and Seisint do not collect that 
type of information. In March, we notified approximately 30,000 in- 
dividuals whose personally identifying information may have been 
unlawfully accessed. 

Based on these incidents at Seisint, I ordered an extensive re- 
view of data-search activity going back to January 2003 at our 
Seisint unit and across all LexisNexis databases that contained 
personally identifying information. We completed that review on 
April 11th and concluded that unauthorized persons, primarily 
using IDs and passwords of legitimate Seisint customers, may have 
accessed personally identifying information on approximately 
280,000 additional individuals. At no time was the LexisNexis or 
Seisint technology infrastructure hacked into or penetrated, no cus- 
tomer data was accessed or compromised. 

We sincerely regret these incidents and any adverse impact they 
may have on the individuals whose information may have been 
accessed. We took quick action to notify those individuals. We are 
providing all individuals with a consolidated credit report and cred- 
it-monitoring services. For those individuals who do become victims 
of fraud, we will provide counselors to help them clear their credit 
reports of any information relating to fraudulent activity. We will 
also provide them with identify-theft insurance to cover expenses 
associated with restoring their identity and repairing their credit 
reports. 

We’ve learned a great deal from the security incidents at Seisint 
and are making substantial changes in our business practices and 
policies across all LexisNexis businesses to help prevent any future 
incidents. I have included the details of these enhancements in my 
written statement. 
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I would like to focus the remainder of my time on policy issues 
being considered to further enhance data security, and address the 
growing problem of identity theft and fraud. 

LexisNexis would support the following legislative approaches. 

First, we support requiring notification in the event of a security 
breach where there is a significant risk of harm to consumers. In 
addition, we believe that it’s important that any such proposal con- 
tain Federal preemption. 

Second, we would support the adoption of data-security safe- 
guards modeled after the safeguard rules of the Gramm-Leach-Bli- 
ley Act. 

Finally, it’s important that any legislation strike the right bal- 
ance between protecting privacy and ensuring continued access to 
critically important information. 

Thank you, again, for the opportunity to be here today to provide 
the Committee with our company’s perspective on these important 
public-policy issues. We look forward to working with the Com- 
mittee as it considers these important issues. 

[The prepared statement of Mr. Sanford follows:] 

Prepared Statement of Kurt P. Sanford, President/CEO, U.S. Corporate and 
Federal Government Markets, LexisNexis 

Introduction 

Good morning. My name is Kurt Sanford. I am the President and Chief Executive 
Officer for Corporate and Federal Markets at LexisNexis. I appreciate the oppor- 
tunity to be here today to discuss the important issues surrounding identity theft 
and fraud, and data security. 

LexisNexis is a leading provider of authoritative, legal, public records, and busi- 
ness information. Today, over three million professionals — lawyers, law enforcement 
officials, government agencies’ employees, financial institution representatives, and 
others — use the LexisNexis services. Government agencies, businesses, researchers, 
and others rely on information provided by LexisNexis for a variety of important 
uses. 

One of the important uses of products and services provided by LexisNexis is to 
detect and prevent identity theft and fraud. In 2004, 9.3 million consumers were vic- 
timized by identity fraud. Credit card companies report $1 billion in losses each year 
from credit card fraud. Although the insidious effects of identity theft are fairly well 
known, until recently it was not fully appreciated that identity theft is part of the 
larger problem of identity fraud. Identity fraud, which encompasses identity theft, 
is the use of false identifiers, false or fraudulent documents, or a stolen identity in 
the commission of a crime. It is a component of most major crimes and is felt around 
the world today. As a result, both industry and government have asked LexisNexis 
to develop solutions to help address this evolving problem. 

Financial institutions, online retailers, and others depend on products and serv- 
ices provided by LexisNexis to help prevent identity theft and fraud. With the use 
of a LexisNexis solution called Fraud Defender, a major bank card issuer experi- 
enced a 77 percent reduction in the dollar losses due to fraud associated with iden- 
tity theft and credit card origination. 

LexisNexis products are becoming increasingly necessary to combat identity fraud 
associated with Internet transactions where high-dollar merchandise such as com- 
puters and other electronic equipment are sold via credit card. Lower fraud costs 
ultimately mean lower costs and greater efficiencies for consumers. 

The following are some other examples of the important ways in which the serv- 
ices of LexisNexis are used by customers: 

Locating and recovering missing children — Customers like the National Center for 
Missing and Exploited Children rely on LexisNexis to help them locate missing and 
abducted children. Since 1984, the Center has assisted law enforcement in recov- 
ering more than 85,000 children. Over the past 4 years, information provided by 
LexisNexis has been instrumental in a number of the Center’s successful recovery 
efforts. 

Locating suspects and helping make arrests — Many Federal, State and local law 
enforcement agencies rely on LexisNexis to help them locate criminal suspects, and 
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to identify witnesses to a crime. LexisNexis works closely with Federal, State, and 
local law enforcement agencies on a variety of criminal investigations. For example, 
the Beltway Sniper Task Force in Washington, D.C., used information provided by 
LexisNexis to help locate one of the suspects wanted in connection with that case. 
In another case, information provided by LexisNexis was recently used to locate and 
apprehend an individual who threatened a District Court Judge and his family in 
Louisiana. 

Preventing money laundering — LexisNexis has partnered with the American 
Bankers Association to develop a tool used by banks and other financial institutions 
to verify the identity of new customers to prevent money laundering and other ille- 
gal transactions used to fund criminal and terrorist activities. This tool allows banks 
to meet Patriot Act and safety and soundness regulatory requirements. 

Supporting homeland security efforts — LexisNexis worked with the Department of 
Homeland Security Transportation Safety Administration (TSAI in developing the 
Hazardous Materials Endorsement Screening Gateway System. This system allows 
TSA to perform background checks on commercial truck drivers who wish to obtain 
an endorsement to transport hazardous materials. 

Locating parents delinquent in child support payments — Both public and private 
agencies rely on LexisNexis to locate parents who are delinquent in child support 
payments and to locate and attach assets in satisfying court-ordered judgments. The 
Association for Children for the Enforcement of Support (ACES), a private child-sup- 
port recovery organization, has had tremendous success in locating non-paying par- 
ents using LexisNexis. 

These are just a few examples of how our information products are used to help 
consumers by detecting and preventing fraud, strengthening law enforcement’s abil- 
ity to apprehend criminals, protecting homeland security and assisting in locating 
missing and abducted children. 

Types of Information Maintained by LexisNexis Risk Solutions 

The information maintained by LexisNexis falls into the following three general 
classifications: public record information, publicly available information, and non- 
public information. 

Public record information. Public record information is information originally ob- 
tained from government records that are available to the public. Land records, court 
records, and professional licensing records are examples of public record information 
collected and maintained by the government for public purposes, including dissemi- 
nation to the public. 

Publicly available information. Publicly available information is information that 
is available to the general public from non-governmental sources. Telephone direc- 
tories are an example of publicly available information. 

Non-public information. Non-public information is information about an indi- 
vidual that is not obtained directly from public record information or publicly avail- 
able information. This information comes from proprietary or non-public sources. 
Non-public data maintained by LexisNexis consists primarily of information ob- 
tained from either motor vehicle records or credit header data. Credit header data 
is the non-financial identifying information located at the top of a credit report, such 
as name, current and prior address, listed telephone number, Social Security num- 
ber, and month and year of birth. 

Privacy 

LexisNexis is committed to the responsible use of personal identifying informa- 
tion. We have privacy policies in place to protect the consumer information in our 
databases. Our Chief Privacy Officer and Privacy and Policy Review Board work to- 
gether to ensure that LexisNexis has strong privacy policies in place to help protect 
the information contained in our databases. We also undertake regular third-party 
privacy audits to ensure adherence to our privacy policies. 

LexisNexis has an established Consumer Access Program that allows consumers 
to review information on them contained in the LexisNexis system. While the infor- 
mation provided to consumers under this program is comprehensive, it does not in- 
clude publicly available information such as newspaper and magazine articles, and 
telephone directories contained in the LexisNexis system. 

LexisNexis also has a consumer opt-out program that allows individuals to re- 
quest that information about themselves be suppressed from selected databases 
under certain circumstances. To opt-out of LexisNexis databases, an individual must 
provide an explanation of the reason or reasons for the request. Examples of reasons 
include: 

• You are a State, local or Federal law enforcement office or public official and 
your position exposes you to a threat of death or serious bodily harm; 
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• You are a victim of identity theft; or 

• You are at risk of physical harm. 

Supporting documentation is required to process the opt-out request. While this 
opt-out policy applies to all databases maintained by our recently acquired Seisint 
business, it is limited to the non-public information databases in the LexisNexis 
service. The policy does not currently apply to public records information databases 
maintained by LexisNexis. We are currently evaluating what steps we can take to 
better publicize our opt-out program and extend the program to all public records 
databases in the LexisNexis service. 

Security 

LexisNexis has long recognized the importance of protecting the information in 
our databases and has multiple programs in place for verification, authorization and 
IT security. Preventive and detective technologies are deployed to mitigate risk 
throughout the network and system infrastructure and serve to thwart potentially 
malicious activities. LexisNexis also has a multi-layer process in place to screen po- 
tential customers to ensure that only legitimate customers have access to sensitive 
information contained in our systems. Our procedures include a detailed authentica- 
tion process to determine the validity of business licenses, memberships in profes- 
sional societies and other credentials. We also authenticate the documents provided 
to us to ensure they have not been tampered with or forged. 

Only those customers with a permissible purpose under applicable laws are grant- 
ed access to sensitive data such as driver’s license information and Social Security 
numbers. In addition, customers are required to make express representations and 
warranties regarding access and use of sensitive information and we limit a cus- 
tomer’s access to information in LexisNexis products according to the purposes for 
which they seek to use the information. 

Maintaining security is not a static process — it requires continuously evaluating 
and adjusting our security processes, procedures and policies. High-tech fraudsters 
are getting more sophisticated in the methods they use to access sensitive informa- 
tion in databases. We continuously adapt our security procedures to address the 
new threats we face every day from those who seek to unlawfully access our data- 
bases. We undertake regular third-party security audits to test the security of sys- 
tems and identify any potential weaknesses. 

Even with the multi-layer safeguards in place at LexisNexis, we discovered earlier 
this year that unauthorized persons primarily using IDs and passwords of legiti- 
mate customers may have accessed personal identifying information at our recently 
acquired Seisint business. In February 2005, a LexisNexis integration team became 
aware of some billing irregularities and unusual usage patterns with several cus- 
tomer accounts. At that point we contacted the U.S. Secret Service. The Secret Serv- 
ice initially asked us to delay notification so they could conduct their investigation. 
About a week later, we publicly announced these incidents and within a week sent 
out notices to approximately 30,000 individuals. 

The investigation revealed that unauthorized persons, primarily using IDs and 
passwords of legitimate customers, may have accessed personal-identifying informa- 
tion, such as Social Security numbers (SSNs) and driver’s license numbers (DLNs). 
In the majority of instances, IDs and passwords were stolen from Seisint customers 
that had legally permissible access to SSNs and DLNs for legitimate purposes, such 
as verifying identities and preventing and detecting fraud. No personal financial, 
credit, or medical information was involved since LexisNexis and Seisint do not col- 
lect such information. At no time was the LexisNexis or Seisint technology infra- 
structure hacked into or penetrated nor was any customer data residing within that 
infrastructure accessed or compromised. 

Based on the incidents at Seisint, I directed our teams to conduct an extensive 
review of data-search activity at our Seisint unit, and across all LexisNexis data- 
bases that contain personal identifying information. In this review, we analyzed 
search activity for the past twenty-seven months to determine if there were any 
other incidents that potentially could have adversely impacted consumers. We com- 
pleted that review on April 11, 2005. As a result of this in-depth review, we discov- 
ered additional incidents where there was some possibility that unauthorized per- 
sons may have accessed personal identifying information of approximately 280,000 
additional individuals. 

We deeply regret these incidents and any adverse impact they may have on the 
individuals whose information may have been accessed. We took quick action to no- 
tify the identified individuals. We are providing all individuals with a consolidated 
credit report and credit monitoring services. For those individuals who do become 
victims of fraud, we will provide counselors to help them clear their credit reports 
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of any information relating to fraudulent activity. We will also provide them with 
identity-theft expense insurance coverage up to $20,000 to cover expenses associated 
with restoring their identity and repairing their credit reports. 

We have learned a great deal from the security incidents at Seisint and are mak- 
ing substantial changes in our business practices and policies across all LexisNexis 
businesses to help prevent any future incidents. These include: 

• Changing customer password security processes to require that passwords for 
both system administrators and users be changed at least every 90 days; 

• Suspending customer passwords of system administrators and users that have 
been inactive for 90 days; 

• Suspending customer passwords after five unsuccessful login attempts and re- 
quiring them to contact Customer Support to ensure security and appropriate 
reactivation; 

• Further limiting access to the most sensitive data in our databases by trun- 
cating SSNs displayed in non-public documents and narrowing access to full 
SSNs and DLNs to law enforcement clients and a restricted group of legally au- 
thorized organizations, such as banks and insurance companies; and 

• Educating our customers on ways they can increase their security. 

Laws Governing LexisNexis Compilation and Dissemination of Identifiable 
Information 

There are a wide range of Federal and State privacy laws to which LexisNexis 
is subject in the collection and distribution of personal identifying information. 
These include: 

The Gramm-Leach-Bliley Act. Social Security numbers are one of the two most 
sensitive types of information that we maintain in our systems and credit headers 
are the principal commercial source of Social Security numbers. Credit headers con- 
tain the non-financial identifying information located at the top of a credit report, 
such as name, current and prior address, listed telephone number, Social Security 
number, and month and year of birth. Credit header data is obtained from consumer 
reporting agencies. 1 The compilation of credit header data is subject to the Gramm- 
Leach-Bliley Act (GLBA), 15 U.S.C. §§6801 et seq., and information subject to the 
GLBA cannot be distributed except for purposes specified by the Congress, such as 
the prevention of fraud. 

Driver’s Privacy Protection Act. The compilation and distribution of driver’s license 
numbers and other information obtained from driver’s licenses are subject to the 
Driver’s Privacy Protection Act (DPPA), 18 U.S.C. §§2721 et seq., as well as State 
laws. Information subject to the DPPA cannot be distributed except for purposes 
specified by the Congress, such as fraud prevention, insurance claim investigation, 
and the execution of judgments. 

Telecommunications Act of 1996. Telephone directories and similar publicly avail- 
able repositories are a major source of name, address, and telephone number infor- 
mation. The dissemination of telephone directory and directory assistance informa- 
tion is subject to the requirements of the Telecommunications Act of 1996, as well 
as State law. 

FOIA and other Open Records Laws : Records held by local, State, and Federal 
governments are another major source of name, address, and other personally iden- 
tifiable information. The Freedom of Information Act, State open record laws, and 
judicial rules govern the ability of LexisNexis to access and distribute personally 
identifiable information obtained from government agencies and entities. See, e.g., 
5 U.S.C. §552. 

Other Laws 

Unfair and Deceptive Practice Laws: Section 5 of the Federal Trade Commission 
Act, and its State counterparts, prohibit companies from making deceptive claims 
about their privacy and security practices. These laws have served as the basis for 
enforcement actions by the Federal Trade Commission and state attorneys general 
for inadequate information security practices. The consent orders settling these en- 
forcement actions typically have required companies to implement information secu- 
rity programs that conform to the standards set forth in the GLBA Safeguards Rule, 
16 C.F.R. Part 314. 


1 Consumer reporting agencies are governed by the Fair Credit Reporting Act (“FCRA”), 15 
U.S.C. §§ 1681 et seq. Some information services, such as Seisint’s Securint service and 
LexisNexis PeopleWise, also are subject to the requirements of the FCRA. 
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Information Security Laws : A growing body of State law imposes obligations upon 
information service providers to safeguard the identifiable information they main- 
tain. For example, California has enacted two statutes that require businesses to 
implement and maintain reasonable security practices and procedures and, in the 
event of a security breach, to notify individuals whose personal information has 
been compromised. See California Civil Code §§ 1798.81.5, 1798.82-84. 

Legislative Measures LexisNexis Supports 

We recognize that additional legislation may be necessary to further enhance data 
security and address the growing problem of identity theft and fraud. LexisNexis 
supports the following legislative approaches: 

Data Security Breach Notification. We support requiring notification in the event 
of a security breach where there is substantial risk of harm to consumers. It is im- 
portant that there is an appropriate threshold for when individuals actually would 
benefit from receiving notification, such as where the breach is likely to result in 
misuse of customer information. In addition, we believe that it is important that any 
such legislation contain Federal preemption to insure that companies can quickly 
and effectively notify individuals and not struggle with complying with multiple, po- 
tentially conflicting and inconsistent State laws. 

Adoption of Data Security Safeguards for Information Service Providers Modeled 
After the GLBA Safeguards Rule. LexisNexis supports the adoption of data security 
protections for information service providers modeled after the Safeguards Rule of 
the GLBA. 

Increased penalties for identity theft and other cybercrimes and increased resources 
for law enforcement. LexisNexis strongly encourages legislation that imposes more 
stringent penalties for identity theft and other cybercrimes. Additionally, consumers 
and industry alike would benefit from enhanced training for law enforcement and 
an expansion of the resources available to investigate and prosecute the perpetra- 
tors of identity theft and cybercrime. Too many of our law enforcement agencies do 
not have the resources to neutralize these high-tech criminals. 

Finally, LexisNexis strongly encourages that any legislation considered strike a 
balance between protecting privacy and providing legitimate businesses, organiza- 
tions, and government agencies with access to critical information that enables them 
to fulfill their important missions. 

I appreciate the opportunity to be here today to discuss the important issues sur- 
rounding identify theft and fraud and data security. I look forward to working with 
the Members of this Committee as you consider these important public policy issues. 

Senator Smith. Thank you very much. Our next witness is Mr. 
Douglas C. Curling, President and Chief Operating Officer of 
ChoicePoint, of Alpharetta, Georgia. 

STATEMENT OF DOUGLAS C. CURLING, PRESIDENT/CHIEF 
OPERATING OFFICER, ChoicePoint® INC. 

Mr. Curling. Thank you. 

Chairman Stevens, Chairman Smith 

The Chairman. Pull that mike up toward you, please? Thank 
you. 

Mr. Curling. Certainly. Better? 

Chairman Stevens, Chairman Smith, Ranking Member Inouye 
and Members of the Committee, good morning. I’m Doug Curling, 
President and Chief Operating Officer of ChoicePoint. 

ChoicePoint has, on several occasions, provided Congress with 
testimony about the recent improper data access and the criminals 
who perpetrated this fraud, the steps we are taking to protect af- 
fected consumers, and the measures we’re taking to prevent similar 
violations from occurring in the future. I have provided the Com- 
mittee with details of these actions in my written testimony. 

At ChoicePoint, we recognize that in an increasingly risky world, 
information and technology can be used to help create a safer, more 
secure society. At the same time, we know, and have been painfully 
reminded by recent events, that there can be negative con- 
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sequences to the improper access of personally identifiable data. As 
a result of these experiences, we’ve made fundamental changes to 
our business model and products to prevent this from happening 
again in the future. I hope you see in ChoicePoint a company that 
has listened to consumers, to privacy experts, and to government 
officials, and learned from this experience. 

Accordingly, we’ve responded rapidly and in fundamental ways. 
We’ve provided benefits to potentially affected consumers that no 
other information company had done before and several companies 
have since emulated, including voluntary nationwide notification, 
dedicated call centers and websites, free three-bureau credit re- 
ports, and 1 year of credit monitoring at our cost. Once again, we 
extend our apology on behalf of our company to those who have 
been potentially affected. 

We learned that there are few places for consumers to turn to if 
their identity is stolen. This, alone, increases the fear and anxiety 
associated with identity theft. For this reason, we have recently 
formed a partnership with the Identity Theft Resource Center, a 
leading and well-respected nonprofit organization dedicated exclu- 
sively to assisting identity-theft victims. 

Most importantly, we have shifted our focus to ensuring our 
products and services provide a direct benefit to consumers or to 
society as a whole. While this has meant exiting an entire market, 
we decided that consumer interest must come first. We have al- 
ready made broad changes to our products, limiting access to sen- 
sitive, personally identifiable information, and more changes are 
under development. 

Last year, we helped more than 100 million people obtain fairly 
priced home and auto insurance. More than seven million Ameri- 
cans get jobs through our pre-employment screening services, and 
we helped more than one million consumers obtain expedited copies 
of their own vital records — birth, death, and marriage certificates. 
These transactions were started by consumers, with their permis- 
sion, and they provide a clear, direct benefit to them. 

Not all of our work is as obvious, but the value is. At a time 
when the news is filled with crimes committed against children, 
we’re helping our Nation’s religious institutions and youth-serving 
organizations protect those in our society who are least able to pro- 
tect themselves. Our products and services have identified 11,000 
undisclosed felons among those seeking to volunteer with children, 
1,055 with convictions for crimes against children, 42 of which who 
were registered sex offenders. 

Consumers, businesses, and nonprofits are not the only ones that 
rely on ChoicePoint. In fact, government officials have recently tes- 
tified to Congress that they could not fulfill their missions of pro- 
tecting our country and its citizens without the help of ChoicePoint 
and others in our industry. Last month, ChoicePoint supported the 
U.S. Marshal Service in Operation Falcon, which served approxi- 
mately 10,000 warrants in a single day. 

Mr. Chairman, apart from what we do, I also understand that 
the Committee is interested in how our business is regulated by 
Federal legislation, as well as various State regulations. Approxi- 
mately 60 percent of ChoicePoint’s business is driven by consumer- 
initiated transactions, most of which are regulated by the FCRA. 
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These include pre-employment screening, auto- and home-insur- 
ance underwriting services, tenant screening services, and facili- 
tating the delivery of vital records directly to consumers. 

Nine percent of ChoicePoint’s business is related to marketing 
services, none of which include the distribution of personally identi- 
fiable information. Even so, we are regulated by State and Federal 
Do Not Mail and Do Not Call legislation, and, for some services, 
the FCRA. 

Five percent of ChoicePoint’s business is related to supporting 
law enforcement agencies in pursuit of their investigative missions 
through information and data services. 

Six percent of our business supports law firms, financial institu- 
tions, and general business to help mitigate fraud through data 
and authentication services. 

The final 20 percent of our business consists of software and 
technology services that do not include the distribution of person- 
ally identifiable information. 

Although a majority of our products are already governed by the 
FCRA, we believe additional regulation will give consumers greater 
protections while strengthening our business model. I, therefore, 
want to conclude by stating for the record ChoicePoint’s position on 
future regulation of our industry. 

We support independent oversight and increased accountability 
for those who handle personally identifiable information, including 
public records. This oversight should extend to all entities, includ- 
ing public-sector, academic, and other private-sector organizations 
that handle such data. 

We support a preemptive national law that would provide for no- 
tification to consumers, ensuring that the burden of notice follows 
the responsibility for breach. 

ChoicePoint supports providing consumers with the right to ac- 
cess and question the accuracy of public-record information used to 
make decisions about them, consistent with the principles of the 
FCRA. There are technical and logistical issues that will need to 
be solved, but they are solvable. 

We’ve already taken steps to restrict the display of Social Secu- 
rity and driver’s license numbers, and would support legislation to 
restrict the display of Social Security numbers, modeling existing 
law, including GLB and FCRA. 

And, finally, we support increased resources for law enforcement 
efforts to combat identity theft, and stronger penalties for the theft 
of personally identifiable information. 

We have all witnessed the significant benefits to society that can 
come with the proper use of information, but we’ve been reminded 
firsthand the damage that can be caused when people with ill in- 
tent access sensitive consumer data. 

As a company, we have re-dedicated our efforts to creating a 
safer, more secure society. We look forward to participating in con- 
tinued discussion of these issues. And I would be pleased to answer 
any questions you may have. 

[The prepared statement of Mr. Curling follows:] 
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Prepared Statement of Douglas C. Curling, President/Chief Operating 
Officer, ChoicePoint® Inc. 

Chairman Stevens, Ranking Member Inouye and members of the Committee, 

Good morning, I am Doug Curling, President and Chief Operating Officer of 
ChoicePoint. I have been with the company since its inception in 1997. ChoicePoint 
has on several occasions provided Congress with testimony about the recent im- 
proper data access and the criminals who perpetrated this fraud, the steps we are 
taking to protect affected consumers, and the measures that we are taking to pre- 
vent similar violations from occurring in the future. 

As you know, California has been the only State that requires consumers to be 
notified of a potential breach of personally identifiable information. We not only fol- 
lowed California law, we built upon it and voluntarily notified consumers who may 
have been impacted across the country, and we did that before anyone called upon 
us to do so. We’ve also taken other steps to help assist and protect the consumers 
who may have been harmed in this incident — first, we’ve arranged for a dedicated 
website and toll-free number for affected consumers where they can access addi- 
tional information; second, we’re providing, free of charge, a three-bureau credit re- 
port; and third, we’re providing, free of charge, a one year subscription to a credit 
monitoring service. 

In addition to helping those affected consumers, we’ve taken strong remedial ac- 
tion and made fundamental changes to our business and products: 

• ChoicePoint has decided to discontinue the sale of information products that 
contain personally identifiable information unless those products and services 
meet one of three tests: 

1. The product supports consumer driven transactions such as insurance, em- 
ployment and tenant screening, or provides consumers with access to their 
own data; 

2. The product provides authentication or fraud prevention tools to large accred- 
ited corporate customers where consumers have existing relationships. For 
example, information tools for identity verification, customer enrollment and 
insurance claims; or 

3. When personally identifiable information is needed to assist Federal, State 
or local government and criminal justice agencies in their important mis- 
sions. 

• Additionally, we’ve strengthened ChoicePoint’s customer credentialing process 
and are re-credentialing broad sections of our customer base. Our new process 
will require more stringent due diligence such as bank references and site visits 
before allowing businesses access to personally identifiable information. 

• Third, we’ve created an independent office of Credentialing, Compliance and 
Privacy that will ultimately report to our Board of Directors’ Privacy Com- 
mittee. This office is led by Carol DiBattiste, the former Deputy Administrator 
of the Transportation Security Administration, and a former senior prosecutor 
in the Department of Justice with extensive experience in the detection and 
prosecution of financial fraud. 

• Finally, we’ve appointed Robert McConnell, a 28-year veteran of the Secret 
Service and former chief of the Federal Government’s Nigerian Organized 
Crime Task Force, to serve as our liaison to law enforcement officials. In this 
role, he will work aggressively to ensure that criminal activities are inves- 
tigated and prosecuted to the fullest extent possible. He will also help us ensure 
that our security and safeguard procedures continue to evolve and improve. 

Obviously, our investigation as well as those of law enforcement continues and if 
we identify additional instances of fraud related to personally identifiable informa- 
tion we will provide notice. 

At ChoicePoint, we recognize that in an increasingly risky world, information and 
technology can be used to help create a safer, more secure society. At the same time, 
we know, and have been painfully reminded by recent events, that there can be neg- 
ative consequences to the improper access to personally identifiable data. As a result 
of these experiences, we’ve made fundamental changes to our business model and 
products to prevent this from happening in the future. I hope you see in ChoicePoint 
a company that has listened — to consumers, privacy experts and government offi- 
cials — and learned from this experience. Accordingly, we have responded rapidly 
and in fundamental ways. 

• We have provided benefits to potentially affected consumers that no other infor- 
mation company had done before and that several companies have since emu- 
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lated — including voluntary nationwide notification, dedicated call centers and 
websites, free three-bureau credit reports and one year of credit monitoring at 
our cost. Once again, we extend our apology on behalf of our company to those 
who have been potentially affected. 

• We learned that there are few places for consumers to turn for help if their 
identity is stolen. This alone increases the fear and anxiety associated with 
identity theft. For this reason, we have recently formed a partnership with the 
Identity Theft Resource Center — a leading and well respected non-profit organi- 
zation dedicated exclusively to assisting identity theft victims. 

• Most importantly, we have shifted our focus to ensuring our products and serv- 
ices provide a direct benefit to consumers or to society as a whole. While this 
has meant exiting an entire market, we decided that consumer interests must 
come first. We have already made broad changes to our products — limiting ac- 
cess to personally identifiable information — and more changes are under devel- 
opment. 

Mr. Chairman, before delving into the specifics of various policy proposals, per- 
haps it would be helpful if I gave Members of the Committee a brief overview of 
our company, the products we provide and some insight as to how we are currently 
regulated. 

The majority of transactions our business supports are initiated by consumers. 
Last year, we helped more than 100 million people obtain fairly priced home and 
auto insurance, more than seven million Americans get jobs through our pre-em- 
ployment screening services, and we helped more than one million consumers obtain 
expedited copies of their family’s vital records — birth, death and marriage certifi- 
cates. These transactions were started by consumers with their permission, and 
they provide a clear, direct benefit to consumers. 

Not all of our other work is as obvious — but the value of it is. At a time when 
the news is filled with crimes committed against children, we’re helping our Na- 
tion’s religious institutions and youth-serving organizations protect those in our so- 
ciety who are least able to protect themselves. Our products or services have identi- 
fied 11,000 undisclosed felons among those volunteering or seeking to volunteer 
with children — 1,055 with convictions for crimes against children. Forty-two of those 
felons were registered sex offenders. In addition, using information and tools sup- 
plied by us, the National Center for Missing and Exploited Children has helped re- 
turn hundreds of children to their loved ones. 

Consumers, businesses and non-profits are not the only ones that rely on 
ChoicePoint. In fact, government officials have recently testified to Congress that 
they could not fulfill their missions of protecting our country and its citizens without 
the help of ChoicePoint and others in our industry. Last month, ChoicePoint sup- 
ported the U.S. Marshals Service in Operation Falcon, which served approximately 
10,000 warrants in a single day for crimes ranging from murder to white-collar 
fraud. 

Mr. Chairman, apart from what we do, I also understand that the Committee is 
interested in how our business is regulated by Federal legislation, as well as various 
State regulations, including the Fair Credit Reporting Act (FCRA) and the recently 
enacted companion FACT Act, the Gramm-Leach-Bliley Act (GLB), and the Driver’s 
Privacy Protection Act (DPPA). 

• Approximately 60 percent of ChoicePoint’s business is driven by consumer initi- 
ated transactions, most of which are regulated by the FCRA. These include pre- 
employment screening, auto and home insurance underwriting services, tenant 
screening services, and facilitating the delivery of vital records to consumers. 

• Nine percent of ChoicePoint’s business is related to marketing services, none of 
which include the distribution of personally identifiable information. Even so, 
we are regulated by State and Federal “Do Not Mail” and “Do Not Call” legisla- 
tion and, for some services, the FCRA. 

• Five percent of ChoicePoint’s business is related to supporting law enforcement 
agencies in pursuit of their investigative missions through information and data 
services. 

• Six percent of our business supports law firms, financial institutions and gen- 
eral business to help mitigate fraud through data and authentication services. 

• The final 20 percent of our business consists of software and technology services 
that do not include the distribution of personally identifiable information. 

Although a majority of our products are already governed by the FCRA and other 
Federal and State legislation, a small percentage of our business is not subject to 
the same level of regulation. We believe additional regulation will give consumers 
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greater protections while strengthening our business model. I, therefore, want to 
state for the record, ChoicePoint’s positions on future regulation of our industry. 

• We support independent oversight and increased accountability for those who 
handle personally identifiable information, including public records. This over- 
sight should extend to all entities including public sector, academic and other 
private sector organizations that handle such data. 

• We support a preemptive national law that would provide for notification to 
consumers, ensuring that the burden of notice follows the responsibility for 
breach and that consumers do not become de-sensitized to such notices. We also 
support notification to a single law enforcement point of contact when person- 
ally identifiable information has fallen into inappropriate hands. 

• ChoicePoint supports providing consumers with the right to access and question 
the accuracy of public record information used to make decisions about them 
consistent with the principles of FCRA. There are technical and logistical issues 
that will need to be solved, but they are solvable. 

• We have already taken steps to restrict the display of full Social Security num- 
bers and would support legislation to restrict the display of full Social Security 
numbers modeling existing law including GLB and FCRA while extending those 
principles to public record information. Providing uniformity as to which portion 
of a Social Security number should be masked would be an important step. 

• Finally, we support increased resources for law enforcement efforts to combat 
identity theft and stronger penalties for the theft of personally identifiable in- 
formation. 

We have all witnessed the significant benefits to society that can come with the 
proper use of information. But we have been reminded, first-hand, the damage that 
can be caused when people with ill intent access sensitive consumer data. 

As a company, we have rededicated our efforts to creating a safer, more secure 
society. We look forward to participating in continued discussion of these issues and 
would be pleased to answer any questions you might have. 

Senator Smith. Thank you very much. 

For the benefit of my colleagues, the order is, after my questions, 
Senator Inouye, Senator Nelson, Senator Lautenberg, and Senator 
Vitter. We’ve been joined now by Senator Dorgan and Senator 
Pryor. If that’s all right with you, gentlemen, we’ll go in that order. 

Mr. Sanford, I think I heard you say that some 300,000 have had 
their security breached within your company. I guess my question 
is, have all these individuals, including, I believe, about 9,000 Or- 
egonians, received a consolidated credit report? And are they get- 
ting any credit-monitoring services from you all? 

Mr. Sanford. Senator, when we announced the security breaches 
in March, we mailed notice to approximately 30,000 individuals 
within the same week, modeled our notice after California legisla- 
tion, provided toll-free numbers for them to call to take advantage 
of those reports. April 11th, we also made notice of the additional 
incidents we discovered at our Seisint business. Again, within the 
week, we mailed notices to all 280,000. About 4 percent of the peo- 
ple that we’ve mailed notices to have responded. 

Senator Smith. And can you provide any update as to how many 
of those individuals actually experienced theft as a result of their 
identities being discovered? 

Mr. Sanford. It’s a tricky question on what is “theft,” because 
of different state interpretations, but, in terms of financial losses, 
of the 12,800-or-so people who have notified us, the process is to 
provide them the credit reports and then a monitoring service. And 
if there was any indication of any fraud or financial losses that 
may have occurred, we have a set of counselors, professionals, to 
do that. We’ve referred about a dozen people to those counselors. 
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All of those, except for one, have been resolved to show that there 
was no problem. Sometimes consumers just forget they have a 
credit card. 

Law enforcement has advised us of ten individuals that — in their 
investigation — that there may have been some loss. Seven of those 
were related to people opening AOL accounts or making credit in- 
quiries under somebody else’s identity. Three people may have suf- 
fered some financial loss, although law enforcement’s not clear 
whether it’s related to the breach in our system. We, personally, 
contacted, or tried to contact, all ten of those; I think we’ve reached 
eight — personally tried to enroll them all into our services; I think 
half of them actually took us up on that. 

Senator Smith. Thank you. 

Mr. Curling, I was encouraged to hear of the technological sorts 
of steps you have taken to protect Social Security numbers and 
driver’s licenses. Is that something that has not been available 
until now? And is that a technological fix that you think actually 
makes less legislation necessary on our part? 

Mr. Curling. Well, the steps we’ve taken are a combination of 
technology changes and product offerings. We’ve completely 
changed the types of businesses we sell products to, and the cir- 
cumstances under which, even if they’re allowed to get access to 
that product under the law, we will choose to sell them products. 
So, most of the changes we made had to do with withdrawing from 
markets where there’s, in our opinion, difficulty credentialing cus- 
tomers, particularly small businesses that, for a company like 
ChoicePoint, whose preponderance of revenue is in other markets 
that are unrelated to these kind of public-record offerings, just isn’t 
in our commercial best interests to pursue. 

We have, however, taken steps and tried to change the products 
that we deliver to customers that we continue to serve, restricting 
access to Social Security numbers and driver’s license numbers, 
just as a business practice, because we think, given the propensity 
to — of identity theft out there now, it’s something everybody needs 
to step up to and go — we’ve got to find a way to link data correctly 
together by limiting the display of that Social Security number or 
other personal identifier. 

Senator Smith. Is it the case that the public is aware of all — 
however many security breaches have occurred at ChoicePoint? 

Mr. Curling. Well, I don’t — I would presume the public is paying 
attention to this topic, as is everybody else. In the breaches that 
we’ve investigated and noticed, we indicated it was about 45 to 50 
accounts that had been set up by a group of fraudsters. We noticed 
all of those folks and offered them the services I provided in my 
oral and written testimony. 

Senator Smith. Isn’t it true that there was a breach 5 years ago 
that just became public? 

Mr. Curling. Yes, we became aware — I, personally, became 
aware very recently of a breach that took place in the latter part 
of 2001, where we apparently got a subpoena in a California sub- 
sidiary, responded to that subpoena, working with law enforce- 
ment, closed an account down, and didn’t hear anything else about 
it again until the latter part of 2004. Back then, going back four 
or 5 years, I think that the practice of many of us, including our 



19 


company, was to work with law enforcement to investigate poten- 
tial crimes, turn over information to them, prosecute the perpetra- 
tors, and law enforcement had the responsibility to notify and com- 
municate with victims. Obviously, since the California notice law 
has gone into place, our practices have changed substantially, and 
we now spend a lot more time trying to research all kinds of mat- 
ters to make sure we can comply with that law, and that some- 
thing like that would be communicated much more rapidly up the 
organization, going forward. 

Senator Smith. But when this occurred 5 years ago, were steps 
taken then to technologically get in the way of theft? 

Mr. Curling. I don’t know, sir. I don’t — I don’t believe that the 
breach was communicated outside of the local area that was af- 
fected — the local company affected by it. 

Senator Smith. Thank you. 

Senator Inouye? 

Senator Inouye. Thank you, Mr. Chairman. 

Mr. Sanford, how many companies can be designated as data 
brokers? 

Mr. Sanford. I don’t know the exact number. I would — in our in- 
dustry, there are dozens and dozens of businesses. From a competi- 
tive intelligence — we tend to focus on about a dozen of them, as pri- 
mary competitors, but there are many, many businesses in which 
you could get personally sensitive information on the Internet that 
I wouldn’t consider to actually be in my industry, but have access 
to the same information. 

Senator Inouye. Mr. Curling testified that most of your activi- 
ties, both of you, are covered by the FCRA provisions. 

Mr. Curling. Most of ours are, yes, sir. 

Mr. Sanford. Most of mine are not. 

Senator Inouye. Would you be in favor of having FCRA provi- 
sions cover all of the activities, Mr. Sanford? 

Mr. Sanford. I don’t believe the FCRA, and the FACT Act that 
reauthorized it, is the appropriate framework. I mean, the FCRA, 
as I understand it, Senator, was intended to cover very specific 
transactions — the granting of insurance, granting credit. The infor- 
mation services that we provide that are not governed by the FCRA 
are about identity authentication, finding and locating people. The 
FCRA has very limited permissive uses. And if we were to extend 
the FCRA to this industry, there are at least seven or eight major 
applications for identity theft and fraud-detection purposes that 
would be eliminated. 

Senator Inouye. Mr. Curling, would you be in favor of FCRA 

Mr. Curling. Yes, sir. I think, in general, we’d be fine with ex- 
tending the principles of FCRA to cover these records and products. 

Senator Inouye. At the present time, if a consumer wants to see 
his own file in your company, Mr. Sanford, would you let him do 
it? 

Mr. Sanford. We do have a consumer-access program in 
LexisNexis, and today a customer can ask for access to that infor- 
mation. We are not able to — if you recall, Senator, we have a — 
news and business information, as well, where we list all of the ar- 
ticles in the major newspapers — we’re not able to — because we 
don’t have personal identifiers — aren’t able to tell that John Smith, 
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who’s asking for information, whether or not that’s the same John 
Smith that’s — appears in all of the different news articles or in the 
white pages, other public information. But we certainly would pro- 
vide access to the information in our public/non-public-record data- 
bases. 

Senator Inouye. Can a consumer have that right in your com- 
pany, Mr. Curling? 

Mr. Curling. Yes, sir, they do. We don’t maintain dossiers on 
consumers, but we have information products that have this con- 
sumer data, and those products are available for consumers from 
a single point of entry, either via a website we maintain or a 1— 
800 number. 

Senator Inouye. Now, if that consumer finds that there’s some 
incorrect information, is he provided the opportunity to correct it? 

Mr. Sanford. We have a small part of our business which is gov- 
erned by the FCRA and there are provisions that indicate exactly 
how those corrections happen. For the part that’s not part of the 
FCRA, our practice is, if the error in the information is related to 
the way in which we keyed the data or the way in which we stored 
the data in the database, we make the correction. If it’s an error 
that the individual is claiming is in the public record, the way in 
which a mortgage record or tax lien is recorded in a county court- 
house, we then point the individual to the county courthouse, be- 
cause we don’t have authority to change a public record, and we 
can’t have a database where our version of the public record is dif- 
ferent than what’s available in the public record. 

Senator Inouye. What’s the situation in your company, sir? 

Mr. Curling. The majority of our products are regulated by the 
FCRA, and, as a result, there’s a defined process for consumers to, 
you know, note the dispute and for us to help them go through and 
navigate that correction. For the public-record products that we 
have, our present policy is similar to that of my colleague here, 
LexisNexis, although there are some things that, if we extend the 
practices we talked about earlier in this hearing to, we could poten- 
tially help consumers not only know which courthouse that record 
came from and how it was sourced, but we’re also looking at ways 
to put disputes on the file much like the FCRA provides. So, even 
though it’s a correction we cannot make legally on their behalf, we 
can note the dispute in future searches that we would serve up to 
our customers. 

Senator Inouye. Now, if I wanted to buy information from either 
one of your companies, would you permit me? 

Mr. Sanford. We have a new-customer authentication 
verification procedure, Senator, that you would go through, like 
any other customer, and, depending upon the documentation and 
records that you provided, depending upon the uses that you 
claimed in our investigation, you would be able to get access to cer- 
tain types of databases. It might be our legal news and business 
information databases. It might be public records. It would un- 
likely, as a — in your current role, it would be unlikely to qualify 
you for access to a nonpublic-record information. 

Senator Inouye. Can I just buy information on a specific person? 

Mr. Sanford. Again, if you didn’t qualify for permissive pur- 
poses, you wouldn’t have access to that information. 
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Senator Inouye. What is the policy in your company, Mr. 

Mr. Curling. You could not buy sensitive, personal identifiable 
information from ChoicePoint under our customer credentialing 
procedures. There are some information products you could buy. 
You can buy records — professional license records on your doctor 
and healthcare providers. You can buy your own vital records on 
behalf of your family. You can buy basic public records like real- 
estate records and directory searches, et cetera. But you wouldn’t 
be able to gain — to set up an account to gain access to any products 
that contained sensitive, personal identifiable information. 

Senator Inouye. Thank you very much. 

Thank you, Mr. Chairman. 

Senator Smith. Thank you, Senator Inouye. 

Senator Nelson? 

Senator Bill Nelson. Thank you, Mr. Chairman. 

Mr. Sanford, does your company compile, store, and sell this in- 
formation only, or does it also provide analysis of this information 
to your customers? 

Mr. Sanford. We compile data, and we have data analytics that 
link data. And then when a customer does a query, we, hopefully, 
give them the answer back which is the most correct answer avail- 
able on the analysis. But you’d have to perhaps give me an exam- 
ple, Senator, of what you mean, “beyond the analysis,” so I make 
sure I’m responding to your question. 

Senator Bill Nelson. Well, what kind of analysis would you pro- 
vide, for example, to law enforcement? 

Mr. Sanford. Law enforcement can do a specific query. If they’re 
looking for a particular individual, they could do a query on that, 
and they might say, “I’m looking for John Smith, who has the fol- 
lowing type of vehicle, whose last known address was the fol- 
lowing,” and they could do a query, and we could then provide in- 
formation of other known addresses for that same individual, or as- 
sociates of that particular individual. 

Senator Bill Nelson. So, there is some analysis — instead of just 
giving them information, you would compile material, and there 
would be some analysis of this information. 

Mr. Sanford. In that way that you defined it, yes, Senator. 

Senator Bill Nelson. Other than law enforcement, who else 
would you provide analysis to? Give me an example, as a customer. 

Mr. Sanford. Financial institutions might want to be ensuring, 
or a bank, when they’re opening an account, that the person who’s 
there to open the account is who they purport to be. They might 
want to use an ID product that would allow them to ask the indi- 
vidual some qualifying questions to make sure they really are who 
they purport to be. Again, they would then be able to access to the 
broader databases to see unrelated information that might be in 
different repositories. 

Senator Bill Nelson. In following up to Senator Inouye, I think 
it’s absolutely critical, for the protection of the consumer, that they 
have access to this data, so that if, in fact, it’s wrong, they can cor- 
rect it. And I, further, think that it’s essential that the consumer 
should have access to the information of who is collecting that data, 
other than someone like a client of yours such as law enforcement. 



22 


So, would you, for the record, state again what is the position of 
your company with regard to providing the consumer with informa- 
tion that is contained within your records? 

Mr. Sanford. If the question, Senator, is about — if I collected the 
information, should I provide notice to the consumer about its pur- 
poses and uses — I want to make sure you understand this — we 
don’t collect that kind of information, I would have to say. I’m not 
really clear on whether there should be legislation on that. If the 
question is — once I collect information from public and nonpublic 
sources — I have white-page phone information, I have public-record 
documents — I would not be supportive of sending a notice to a con- 
sumer each and every time a query might have gone on a database 
that touched their name. We’d be talking about sending millions 
and millions of notices 

Senator Bill Nelson. No, that’s not the question. The question 
is, If the consumer asks you for access to see what kind of informa- 
tion is being contained on that consumer 

Mr. Sanford. I’m sorry, Senator, I misunderstood. I thought 
there were two questions. I thought — one was access, and I thought 
I had previously indicated I was supportive of that — and I thought 
the second part was, Should I send them a notice 

Senator Bill Nelson. No, I didn’t ask about notice. 

Mr. Sanford. I misunderstood. 

Senator Bill Nelson. No. Notice is already what you’re required 
to do in the State of California, which is — and that’s something 
that I think this committee will be examining — once that informa- 
tion is breached and it has been withdrawn from the possession 
that you have, then, under California law, you’re required to notify. 
What we’re going to consider is that — should that be nationally, 
other than just the State? 

So, your testimony is that, with regard to giving the consumer 
access to the information that you contain, that you would be will- 
ing to do that. 

Mr. Sanford. We do that today in our LexisNexis business. 

Senator Bill Nelson. Well, then that’s very helpful. 

Now, tell us something about what is the procedure for becoming 
a LexisNexis client. When somebody becomes a client, does the cli- 
ent have access to all of LexisNexis’s databases, for any purpose? 
For example, if an attorney became your client to help locate a wit- 
ness, can that attorney also use your database for personal and 
other reasons? 

Mr. Sanford. The customers go through an authentication and 
credentialing process — applications, records. We do searches on 
various databases to verify their identity. Part of the application is, 
they have to indicate the permissive uses if they want to access 
personally identifying information and nonpublic record databases. 
Generally, lawyers do not qualify for access to that information. We 
call that, in our business, 5A access. 

Senator Bill Nelson. So, they have to qualify in order to be able 
to use the other parts of the database. 

Mr. Sanford. We have case law. We have news and business ar- 
ticles. This is not the kind of thing that goes through a special 
credentialing process. But access to, say, driver’s license number 
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data or credit header information, nonpublic information, there’s a 
special credentialing process. 

Senator Bill Nelson. How do you monitor that? 

Mr. Sanford. Customers in each and every search session have 
to indicate what their permissive use is. We do have detection soft- 
ware. Under DPPA, I believe, each time you use a search where 
you access a driver’s license, you make a statement subject to 
criminal sanctions. It’s against the law to have an impermissive 
use under DPPA. 

We’ve instituted some recent procedures to do recredentialing, on 
a periodic basis, for customers when contracts are up for renewal. 
We’re enhancing procedures all the time. We’re looking at having 
systems administrators recertify on a monthly basis, or a 60-day 
basis. We’re working with our customers to figure out how we do 
that. Because we are in a mobile society, and people do have em- 
ployees that come and go from their business, we want to make 
sure that the people who have the passwords and IDs are still, you 
know, legitimate users in those businesses. 

Senator Bill Nelson. Mr. Chairman, I see my time is up. I will 
have some more questions in the next round. 

Senator Smith. We’ll have another round. 

Senator Bill Nelson. Thank you. 

Senator Smith. Senator Lautenberg? 

Senator Lautenberg. Thanks, Mr. Chairman. 

Just curious about the material that’s accessible when someone 
becomes a client of your firm, either one of you. Now, if — are most 
of these people likely to be looking for lists for mailing solicita- 
tions? 

Mr. Sanford. In LexisNexis, we don’t have a marketing busi- 
ness, except for a — there’s a very, very small business that helps 
people in bankruptcy, doesn’t have personally identifying informa- 
tion or driver’s license numbers. But 99 percent of what we do has 
nothing to do with marketing. We don’t have financial 

Senator Lautenberg. How about ChoicePoint? 

Mr. Curling. We have a collection of businesses, one of which is 
purely direct marketing, but those — all of our customers are 
credentialed and have access to separate product platforms. There 
is no common ChoicePoint access or single database with all the in- 
formation in it. The information is kept separate by product. So, for 
example, in direct marketing, the customers would have access to 
no sensitive, personal identifiable information. As I indicated in my 
testimony, it’s about 9 percent of ChoicePoint’s revenue. 

Senator Lautenberg. Yes, so if someone was a United States 
Senator, and they wanted to compile a mailing list for campaign so- 
licitation, could they have that list, sorted out by — a list sorted out 
by income levels? 

Mr. Curling. Well, that’s not a market we serve, so I can’t an- 
swer that, but if it was in a market that I do serve — well, we’re 
principally serving financial institutions and insurance companies. 
The preponderance of our revenue is in the insurance market. So, 
for insurance companies what they’re typically trying to do is look 
at the people they have insured today for auto and home policies 
and try and find more 

Senator Lautenberg. So it would have to be specific 
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Mr. Curling. Typically, they’re going after a particular product. 

Senator Lautenberg. And when they sign up for your services, 
do they have to identify those lists that — or the area of listing that 
they might want to access? 

Mr. Curling. Yes. As a part of our credentialing — in marketing, 
as a part of that process, we would understand what products they 
wanted to buy 

Senator Lautenberg. So, they’re limited. They can’t 

Mr. Curling. They’re completely separate from other products. 

Senator Lautenberg. What — when people have — are expected — 
or suspected to be a substantial risk for identity and fraud, is it 
in the consumer’s best interest for the company to make that call 
or to inform consumers when there’s any breach at all? How do you 
anticipate that someone might be an easy target for identity theft? 
Do you? 

Mr. Sanford. Well, it’s very much the process we went through 
beginning in February. We have a chief security officer in the busi- 
ness. We investigate security issues. No company is immune to the 
constant attempts at hacking and penetration of their services. And 
what we did in our situation was, we looked at security breaches 
where a customer had said, “This is not my billing activity.” And 
when we could see that that was an employee who left the com- 
pany, who went across the street, say, figuratively, to work at the 
collection company across the street, and continued to conduct 
searches in the normal course of their business, that doesn’t 
present a risk of harm to the consumer. When a employee in a 
business is searching celebrities on a database, that doesn’t suggest 
a risk of harm to consumers. 

And so, what we looked for was anything in a search that we 
couldn’t authenticate, where there was some suggestion of risk of 
harm to a consumer. So, for example if the IP address of where 
that search emanated from came from a foreign country, and this 
was a domestic business, that was suggestive of a problem, given 
the body of literature on this issue. If people were using 
anonymiers, or if there was a virus or spyware inside of a cus- 
tomer’s environment, we said there’s some risk of harm. And the 
real challenge, Senator, is this trigger — is, When do you make no- 
tice? Because if there’s any risk of harm, or no risk of harm, I think 
you do run the risk of this over-notification. 

This is a very serious matter. But the facts, so far in our notices, 
have indicated, you know, next to no financial harm, at least, for 
those individuals. It’s very discomfiting to them, it’s a very serious 
matter, but I think we do have to wrestle with, What is it that’s 
going to trigger notice? Because the intent of notice, I hope, is to 
help someone protect themselves, not to make them immune to the 
notices they get so they don’t protect themselves that one time 
when they should. 

Senator Lautenberg. If someone — if a company is interested in 
debt collection, is that information fairly discernible in any of the 
groups that you have? 

Mr. Sanford. Debt collectors, credit departments, financial insti- 
tutions, and collection organizations are a part of our business, and 
what they’re looking for is authentication and location of the indi- 
vidual; so they may collect the debt from the correct person. Again, 
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there are many, many John Smiths, and they’re trying to find out 
which John Smith is the right John Smith for this particular debt. 

Senator Lautenberg. Thanks, Mr. Chairman. 

Senator Smith. Thank you, Senator Lautenberg. 

Senator Dorgan? 

STATEMENT OF HON. BYRON L. DORGAN, 

U.S. SENATOR FROM NORTH DAKOTA 

Senator Dorgan. Mr. Chairman, thank you. And thanks to the 
witnesses. 

This is a complicated set of issues for those of us who don’t work 
in the business. And my understanding is that there is no Federal 
law prohibiting the use and sale of Social Security numbers. Would 
that be correct? 

Mr. Sanford. I think there are a number of laws. The most — 
GLBA would be most applicable, where it talks about the use 
of 

Senator Dorgan. GLBA? 

Mr. Sanford. Gramm-Leach-Bliley Act. 

Senator Dorgan. OK. 

Mr. Sanford. Excuse me, Senator — where it talks about our 
business, for example, as a recipient of information from a financial 
institution. Our use of that credit -header information, which in- 
cludes the Social Security number, is restricted. 

Senator Dorgan. Do both of you do business in Europe and the 
United States? 

Mr. Sanford. Yes. 

Senator Dorgan. And can we go 

Mr. Curling. We do, principally, business in the United States. 

Senator Dorgan. Do you do business in Europe? 

Mr. Curling. We do very, very small amounts of business in Eu- 
rope, there are a few financial institutions that buy data for cus- 
tomer enrollment purposes, Patriot Act compliance, but very little; 
99-plus percent of our revenue is domestic. 

Senator Dorgan. Mr. Sanford, can you describe for us the dif- 
ference that exists with respect to the European approach pro- 
tecting confidentiality, versus the U.S. approach at this point, given 
current law? 

Mr. Sanford. I’m not an expert on the European privacy issues. 
I can speak to the U.S. I’d be happy to give you the information. 
Our business in Europe is principally a legal news and business in- 
formation service, as it is in Asia, Pacific, and Latin America. Our 
risk-management business focusing on public records is principally 
a U.S. business. 

Senator Dorgan. But if you — because you do business in Europe, 
you are required to comply with the — I believe it’s called the Data 
Protection Directive in Europe? 

Mr. Curling. We don’t collect public-record information or data 
from — on European citizens. 

Senator Dorgan. Well, the reason I was asking that — I was 
going to ask you your assessment of the approach the Europeans 
take, versus the approach that we take, under present law. And 
that, I think, goes to the heart of what we might ought to consider. 
Should we consider doing something that is much more restrictive, 
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much more protective? And I believe that the Europeans do that. 
As I understand it, they require companies to provide consumers 
with notice, the ability to opt out with respect to nonsensitive com- 
mercial marketing of personal information, opt in with respect to 
sensitive, personal information, the right of access to personal in- 
formation collected, reasonable security protections for the informa- 
tion, and so on, which I think is different than now exists in this 
country. Is that right? 

Mr. Sanford. I think some of them are the same, and some of 
them are different. It depends, again, if we’re talking about FCRA 
applications, where I think you’d see opt-in — or, excuse me, opt-out, 
you would see notice and correction. 

Senator Dorgan. Tell me about, if you would — I expect neither 
of your companies are involved in this, but I think my colleague, 
Senator Inouye, was getting to it — if you, Mr. Sanford, go to the 
Internet today and decide you want to know about Senator Bill 
Nelson — you want to learn about him, you want to know every- 
thing there is to know about him, you want — you’d like to get his 
Social Security number, you want to find out about his driving 
record, you want to know everything about him. And my guess is 
there are many options for you on the Internet to pay $100, $50, 
or $150 to gather information about Senator Nelson. Is that cor- 
rect? 

Mr. Sanford. I believe there are. 

Senator Dorgan. And what kinds of companies are they that, on 
the Internet, are marketing that information? Do you know? It’s 
obviously 

Mr. Sanford. Yes, I wouldn’t want to speculate as to the busi- 
ness purposes. You wouldn’t be able to do that on our service. 

Senator Dorgan. I understand that. 

Mr. Sanford. You’d be able to access news articles and public in- 
formation that might be otherwise in a blog or, you know, in a 
Google-type search. 

Senator Dorgan. I understand that. And I’m not making a com- 
parison that either of you are involved in that. I’m just saying that 
that’s another type of data collection. Somebody is collecting infor- 
mation about Senator Nelson, and, for $150 or so, we can go find 
out what information they’ve collected, which I assume would prob- 
ably almost always include his Social Security number and a whole 
range of issues relating to his life. And that is also part of this 
data-collection industry, albeit smaller companies, likely, compa- 
nies that aren’t operating within the guidelines that you operate 
within. But as we consider all of these issues, you, of course, will 
always have to bear the burden of others in this industry that are 
marketing information in different ways. How do you feel about 
that? 

Mr. Sanford. We have policies and practices which are more re- 
strictive than some of the existing laws. I would certainly welcome 
enforcement of existing laws on my competitors. It is a competitive 
disadvantage for us, where we comply with laws, but people find 
ways to gain access to information that they shouldn’t. 

Senator Dorgan. Is Social Security the critical identifier with re- 
spect to personal information? 
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Mr. Sanford. The Social Security number would probably be the 
most commonly agreed item. California statute also suggested driv- 
er’s license numbers. If you think about identity theft and getting 
a photo ID with a driver’s license number, I would include that as 
a sensitive piece of data, as well. 

Senator Dorgan. Is identity theft a crisis or a very serious prob- 
lem in this country, or is it overblown, in your judgment? 

Mr. Sanford. I think it’s a very serious problem, but I think it’s 
been a very serious problem for a long, long, long time. I’ve learned 
quite a bit from the research and — I mean, identity thefts’s been 
going on, and fraud associated with identity theft’s been going on 
for decades and decades. Technology, while it’s very powerful, has 
facilitated it more recently. And that’s — you know, again, without 
downplaying the seriousness of us having very strong security safe- 
guards, the reality is — is that the bad guys now have technology 
tools available to them to go out and commit all kinds of fraud. 
And part of the solution has to be to create tools to stop them. Re- 
stricting access to data is certainly, in some people’s minds, a way 
to do that. I think if the restriction goes too far, we will, in fact, 
enable the bad guys to do even more than they’re doing now. 

Senator Dorgan. Mr. Chairman, first of all, I think it’s a service 
for you to hold this hearing. And I know the work that Senator 
Nelson has done, and others, is very important. You know, I think, 
frankly, most people would be aghast — most of our citizens would 
be aghast at the information that’s being collected with respect to 
their personal lives. And I think, as we dig into this issue and mine 
this issue a bit to understand it better, we have a lot of interesting 
choices to make about how to protect American citizens with re- 
spect to the gathering of their personal information by other com- 
panies. 

Senator Smith. I think you’re right, Senator. Thank you. 

Next, Senator Pryor. And we have been joined by Senator Nel- 
son — we’ll go to your questions after that, Senator Ben Nelson. And 
then back to Senator Bill Nelson for round two. 

STATEMENT OF HON. MARK PRYOR, 

U.S. SENATOR FROM ARKANSAS 

Senator Pryor. Thank you, Mr. Chairman. 

Let me ask both of you a question, because, as I understand, 
what we’re talking about here today is, the two entities you rep- 
resent have very different business models, right? You all have dif- 
ferent business models from one another. And they’re — and I think 
what it shows is, there’s kind of a diversity within the information- 
providers sector of our economy, if you will. What implications does 
the fact that you all have different business models — what implica- 
tions does that have on possible legislation? In other words, when 
I see something like what you’re talking about today, I’m concerned 
that a one-size-fits-all solution probably won’t work. So, could you 
discuss a little bit, if you can do it fairly briefly, about, you know, 
how you’re different and how you think we need to — as we look at 
legislation, how we should be careful to craft that to meet those dif- 
ferences? 

Mr. Sanford. Well, we’re both alike, to the extent that if we 
have an FCRA solution, we’re governed by the FCRA and the 
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FACT Act. We’re both alike to the extent that if we’re dealing with 
information from financial institutions, we’re governed by the pri- 
vacy provisions of the Gramm-Leach-Bliley Act. We’re different in 
our product mix. And that’s our distinction. Now, our business 
practices may be different, and our policies, but, from a legislative 
standpoint, we are covered by the same laws; we just happen to 
have different concentrations. 

Senator Pryor. Do you agree with that, Mr. Curling? 

Mr. Curling. Well, I think, generally, that’s probably an accu- 
rate characterization. I mean, we — our product mix is principally 
consumer-driven transactions that are regulated by FCRA or soft- 
ware and services. So, the segment of public-record sales that are 
non-FCRA, that are nongovernmental, it’s a very small business for 
ChoicePoint. I think that the — some of the legislative proposals 
that have been put forth do deal with things, though, that all busi- 
nesses and all enterprises should agree on. I think that, you know, 
identity theft is a crime that doesn’t stay inside state borders. I 
think it’s a crime that doesn’t contain itself to a particular indus- 
try. You know, the breaches that were mentioned by the Com- 
mittee members earlier in the meeting happened to universities, 
nonprofits, government agencies, commercial enterprises. So, I 
think that some of the topics under discussion, you know, notice, 
you know, how we’re going to help affect the consumers. The things 
that we all need to do to try and provide more support for law en- 
forcement to drive fraud and identity theft out of our society are 
things we all agree on, regardless of the industry we’re in. And I 
think there is legislation there that everyone would agree on, and 
it would fit under one tent. 

Senator Pryor. Let me follow up on that, if I can, Mr. Curling, 
because there has been security breaches that have happened in a 
wide variety of companies and, as you said, some nonprofits, 
some — even some government entities. Should a security safe- 
guards rule be applied only to information — only to information- 
service providers, or should it be broader than that and cover all 
businesses and even nonprofits and government agencies? 

Mr. Curling. We believe that consumers’ interests are going to 
be best protected when, you know, it applies to all entities, regard- 
less of the type of organization or structure of that company. As I 
indicated, you know, if you collect, assemble, maintain, transfer, or 
manage sensitive data, a breach is a breach, and, whether that 
took place in a commercial enterprise or a nonprofit organization, 
consumers need to be noticed. 

Senator Pryor. Mr. Sanford, you said, in your written testimony, 
that you acknowledge that maintaining security is not a static 
process. In other words, you have to continually evaluate new or — 
new types of security breaches. And, obviously, I know you have 
your hands full there. Do you think it is possible for a small com- 
pany data-broker to maintain database security as diligently as 
they need to in order to prevent identity theft? It seems to me they 
might be at a disadvantage. 

Mr. Sanford. There are certainly high fixed costs for security. I 
mean, having credentialing programs, having detection software, 
monitoring, having resources to investigate certainly would be a 
disadvantage to a small business. 
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Senator Pryor. What about third-party security audits? Do you 
use those in your company, right? 

Mr. Sanford. We do use them. 

Senator Pryor. And has that been a successful approach for you? 

Mr. Sanford. The third-party tends to be objective, has no loyal- 
ties, points it out to you, makes suggestions on things that are now 
available in the industry, state-of-the-art technology, different prac- 
tices and procedures. 

Senator Pryor. Do you know how widespread third-party secu- 
rity audits are in the industry? I mean, do the smaller companies 
use them? Do we know? 

Mr. Sanford. I don’t know, Senator. 

Senator Pryor. OK. Well, it looks like I’m just about out of time, 
so let me ask my last question here. 

Do you think that a consumer should have the ability to see his 
own file with your company? 

Mr. Sanford. In our non-FCRA businesses, we don’t maintain 
consumer files or consumer reports, but we do have the ability for 
them to get access to the information, running a search to see what 
information’s there. 

Senator Pryor. Is that available to them now? 

Mr. Sanford. Yes. 

Senator Pryor. And is that free? 

Mr. Sanford. No. There’s a fee for that. I’ve asked the team to 
look at, you know, what that fee should be. Unlike a — in a credit 
transaction, where data is pushed to you to assemble credit reports, 
we incur extraordinary cost to go collect and maintain all this in- 
formation. We’re not making a profit on giving them the reports. 
We have to authenticate the — I’m sorry, Senator 

Senator Pryor. Yes. 

Mr. Sanford. — we have to authenticate the individual to make 
sure who they are when they call up. We’re not just going to turn 
that information over to somebody over the phone. Then we have 
to prepare the report, and we mail it out to them. 

Senator Pryor. And, just as a very brief follow-up to that, be- 
cause we’re out of time, is — should the consumer have the ability 
to correct information in your file? 

Mr. Sanford. If the information has an error, is related to work 
we’ve done with it — let’s say we transposed data inadvertently 
when we were loading the file — we would certainly correct that. If 
it’s a public-record file, or a non-public-record file, like a credit 
header, we need — we generally point them right back to the source 
and say, “This is where we got this file from, let’s get the public- 
record source collected so that we have the correct public-record in- 
formation.” 

Senator Smith. Thanks, Senator Pryor. 

Senator Nelson? 

Senator Ben Nelson. Thank you, Mr. Chairman. 

Mr. Curling, you mentioned that if information is breached — se- 
curity is breached, information is now out — that there’s a notice 
that should be sent out to the parties. Should that security breach 
also be a violation of the specific law? Should there be strict liabil- 
ity for anything that comes from the misuse or the access of that 
information? 
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Mr. Curling. Well, as we indicated, I think, Senator, we do 
agree that, you know, if there is a breach, we should send notice. 
And we would prefer the legislature draw a bright line as to what 
that notice criteria should be, because we don’t feel like we’re in 
a position to judge whether or not that breach posed a significant 
risk. In the event there is a notice, you know, we do have obliga- 
tions and responsibilities that we need to fulfill. The first is, we 
help those consumers that are affected, you know, try and do what 
they can to understand the breach, understand the significance of 
the effect on them, and give them access to information products 
that would help them monitor whether or not they’re going to be 
a victim of identity theft. And we believe we’ve done that. 

Senator Ben Nelson. What about strict liability? In other words, 
if you have — if you have control over the information, and it gets 
accessed, should you have strict liability for anything that occurs 
that is damaging to the name whose identity theft has occurred? 

Mr. Curling. Well, I’m not a lawyer, I don’t know that I’m pre- 
pared to understand 

Senator Ben Nelson. Well, no, I’m not necessarily saying you 
should you know right now, but do you think, as a matter of law, 
if you’re not strictly liable now, that that might be the kind of im- 
position of responsibility that would be appropriate? 

Mr. Curling. Well, there are certainly penalties and fines al- 
ready in place for breaches like this. I think that the primary, you 
know, view that ChoicePoint would have, as a commercial enter- 
prise, is, we have market forces at play, as well, that already put, 
you know, tremendous pressure on companies to not only do the 
right thing, but maintain the appropriate safeguards. And I think 
that the, you know, primary liability is with the criminals. And I 
think what we want to try and support is law enforcement, getting 
the fraudsters out of our system. 

Senator Ben Nelson. Well, if you were faced with the question 
we’re faced with — How does this get resolved? — what would be the 
first thing you would suggest we do? 

Mr. Curling. Well, I think there are many good proposals in 
place. You know, I previously testified in the Judiciary Committee 
that the proposal by Senator Schumer and Senator Nelson has a 
lot of good principles that we agree with. We believe in notice. We 
think notice is an important thing. You need to give a consumer 
a notice that a breach has occurred, and give them an opportunity 
to take the steps necessary to protect themselves. We believe that 
there need to be standards. And I think all of us, you know, would 
like to have a level playing field, whether that’s for us to better un- 
derstand the expectations that various constituencies place on us 
so we can feel like we’re honoring and acting responsibly in our ob- 
ligations, but also from a competitive and marketplace standard to 
understand what it is the rules should be. 

In my case, most of our products, as I indicated, that contain per- 
sonally identifiable information, are already regulated by the 
FCRA, which, as you well know, has been a tried and true kind of 
30-year standard for how this kind of information should be man- 
aged and what you should do if there is a breach or if there is some 
kind of dispute. We think that’s a good model. 

Senator Ben Nelson. Mr. Sanford? 
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Mr. Sanford. Senator, I would recommend that the three most 
important things that this committee could consider, if the 
ambitioning goal is to make a dent in the amount of fraud associ- 
ated with identity theft, is, one, look at what the penalties are for 
the identity thieves, and make it a crime that nobody wants to 
commit. It’s a very hard crime to prove. Sometimes the value of the 
theft is difficult to prove, and the penalties sometimes makes these 
misdemeanors, while the harm to society and the harm to the indi- 
viduals and the financial institutions, the banking industry, is in 
the billions. So, that’s one. 

Second, I do think a national notification standard is in order. 
California does have a law. Many, many states are considering, as 
we are here today, different notification bills across the United 
States, and I think having a national notification standard that has 
Federal preemption will ensure that when someone gets a notice, 
no matter where they live — because, remember, our people in this 
country move around quite a bit — they’ll understand what that no- 
tice means, and it won’t depend upon which State it came from. 

And, third, I think insisting — as Mr. Curling pointed out earlier, 
insisting on data-security safeguards, regardless of where that data 
repository is, would make sense — not just for commercial organiza- 
tions like us — so that we make it harder to get that information. 
And I — as indicated in my testimony, I believe that the Safeguard 
Rules, if they’re modeled after what’s in GLBA, would be a good 
start. 

I think that this framework needs to be flexible, because every 
company’s business is a bit different, technologies are different, the 
size of the business is different, and the threats are evolving. I 
think proscribing specific security — within a year or 18 months, we 
would have companies that might be in compliance with that, but 
would have ineffective security safeguards in place. 

Senator Ben Nelson. What about the — my question about strict 
liability for any kind of damages that the victim of identity theft 
might get as a result of information you held that was accessed by 
an identity thief? 

Mr. Sanford. It’s not something that I’ve previously considered. 
I’d be glad to give it some thought. I, top of mind, wonder if it 
wouldn’t provide some incentive for companies not to make notice — 
who were worried about the penalties — but it’s something I’d be 
glad to work with your — you and your staff on and consider. 

Senator Ben Nelson. Thank you. Thanks to both of you. 

Thank you, Mr. Chairman. 

Senator Smith. Thank you very much, Senator Nelson. 

As we go to a second round, I know Senator Inouye has ex- 
pressed an interest, but if there is no objection, Senator McCain, 
a Member of this Committee, has asked that we include in the 
record his statement. It relates to the leadership, tragically, of Ari- 
zona on this issue, and it’s an issue about which he is very con- 
cerned. 

Is there objection? 

[No response.] 

Senator Smith. We’ll include it. 

[The prepared statement of Senator McCain follows:] 
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Prepared Statement of Hon. John McCain, U.S. Senator from Arizona 

Our Nation — along with the rest of the world — is experiencing a data revolution. 
Thanks to information technology, innovative business models, and globalization, 
data is flowing faster, more widely, and more freely than ever before. This current 
of information is helping our economy grow, but like many other revolutions, this 
one has not been bloodless. The dark side of our Nation’s information-based econ- 
omy is that the wider availability of data — including personal identifiable informa- 
tion — has contributed to the theft of millions of American identities. 

Unfortunately, identity theft is especially common in my home State. Federal 
Trade Commission data indicates that there were more reported cases of identity 
theft per capita in Arizona than in any other state in 2004. In addition, the FTC 
reports that the Phoenix area leads other U.S. metropolitan areas in the incidence 
of the crime. This has led one Arizona newspaper to christen my home State the 
“identity theft capital of the Nation,” a distinction that no Arizonan is proud of and 
that I will continue working to shed. 

Today’s hearing touches on yet another chapter in this country’s battle against 
identity theft. And, though I’m extremely concerned about the security breaches at 
companies like ChoicePoint and LexisNexis, I am not surprised by the news. 
ChoicePoint, for example, has compiled 19 billion records covering virtually every 
American adult according to press reports. Targets do not get bigger and more pre- 
dictable than that, and I have to say that I am disappointed to know that a com- 
pany that should have had better security measures in place did not. I look forward 
to hearing what ChoicePoint and LexisNexis are doing to restore integrity to their 
businesses. 

I trust that this will be the first of many hearings that the Committee will have 
on the issues of information security and privacy, and that the Committee will build 
on the work it has done in the past by taking a broad look at security and privacy 
issues during this Congress. Our purpose in doing so should be to protect consumers 
while maintaining the integrity and viability of our information economy. I, for one, 
believe that those goals are not mutually exclusive. 

I thank Chairman Stevens for holding this important hearing and the witnesses 
for coming before the Committee. 

Senator Smith. Also, I’ll include in the record the data security 
incidents in 2005 relating to public institutions, primarily univer- 
sities, and the tremendous levels of identity theft that has occurred 
at some of the major universities of our Nation. 

[The information previously referred to follows:] 


Data Security Incidents — 2005 

(As of 5/9, at least 35 incidents have been disclosed, potentially affecting more than 5.2 million individuals) 


Date 

Entity 

Affected 

01/03/05 

George Mason University 

— Officials discover that hackers had accessed private information 
and Social Security numbers on students and staff.. 

30,000 

01/06/05 

University of Kansas 

— Administrators send letters to individuals whose personal infor- 
mation, including Social Security numbers, passport numbers, 
countries of origin, and birthdates, might have been com- 
promised when a hacker accessed a server in November 2004.. 

1,400 

01/18/05 


3,500 

— Officials reveal a mid-November breach may have compromised 
names and SSNs of students and alumni.. 

01/25/05 

Science Applications International (SAIC) 

— Desktop computers were stolen from the offices of Science Appli- 
cations International Corp., an online payroll services company, 
compromising personal information of current and past stock- 
holders. 

Unknown 

01/27/05 

Purdue University 

— An unknown person or group accessed a computer in the College 
of Liberal Arts’ Theatre Division containing names and SSNs of 
faculty, staff, students, alumni and business affiliates.. 

1,200 

02/02/05 

Indiana University 

Unknown 
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Data Security Incidents — 2005 — Continued 

(As of 5/9, at least 35 incidents have been disclosed, potentially affecting more than 5.2 million individuals) 


Date 

Entity 

Affected 

02/14/05 

— Officials reveal that the F.B.I. and campus police are inves- 
tigating a computer security breach that left employees’ personal 
information vulnerable. It is unknown at this point how many 
have been affected.. 

ChoicePoint 

145,000 

02/20/05 

— Company confirms it was victimized by a customer fraud in 
which public records information about approximately 30,000 
consumers may have been compromised; number of potentially 
affected consumers later increased to 145,000.. 

T-Mobile 

400 

02/24/05 

— Mobile phone accounts of Paris Hilton and 400 T-Mobile cus- 
tomers compromised by hackers. 

Westlaw 

“Millions” 

02/25/05 

— Accused by U.S. Sen. Charles Schumer of having “egregious 
loopholes” in one of its Internet data services that would allow 
thieves to harvest SSNs and financial identities of millions of 
people.. 


02/05 

— Announced it had lost computer data tapes containing personal 
information on Federal employees, including some members of 
the U.S. Senate.. 

PayMaxx 

25,000 

03/08/05 

— Flaws in the online W-2 service of PayMaxx exposed customers’ 
payroll records.. 

DSW Shoes 

1.4 million 

03/08/05 

— Announced that credit card information from customers of more 
than 100 DSW Shoe Warehouse stores was stolen from a com- 
pany computer’s database. The company announces on April 18, 
the number of affected consumers could be 1.4 million.. 

Harvard University 

200 

03/09/05 

— Intruder gains access to its admission systems and helped appli- 
cants log on to learn whether they had been successful weeks be- 
fore they were to find out.. 

Reed Elsevier, Seisint Unit (LexisNexis) 

310,000 

03/11/05 

— Announced that hackers gained access to sensitive, personal in- 
formation of about 32,000 U.S. citizens on databases owned by 
Reed Elsevier. The company in April updates the actual number 
of potentially affected consumers to 310,000.. 

Boston College 

120,000 

03/11/05 

— Announced that hackers had accessed personal information of 
alumni in a computer system used for fund-raising.. 

University of California-Berkeley 

100,000 

03/11/05 

— Laptop computer stolen from a graduate division office contained 
the names and Social Security numbers of 98,369 individuals.. 

Nevada Department of Motor Vehicles 

8,900+ 

03/14/05 

— Personal information compromised when thieves stole a com- 
puter from a Nevada DMV office.. 

California State University, Chico 

59,000 

03/18/05 

— Hackers broke into a housing and food service computer system, 
which contained names and SSNs of current, former and pro- 
spective students, as well as faculty and staff. 

University of Nevada, Las Vegas 

5,000 

03/23/05 

— Administrators reveal that a hacker had been accessing the per- 
sonal information of international students.. 

Mutual funds 

Unknown 


— Wall Street Journal reveals numerous mutual funds reported 
data security breaches, including Armada Funds; Pimco, a unit 
of German insurance giant Allianz AG; The Dreyfus unit of Mel- 
lon Financial Corp.; Bank of America Corp.’s Columbia Funds 
unit; Nuveen Investments; The First American Funds unit of 
U.S. Bancorp; AmSouth Bancorp’s fund unit; CNI Charter fund 
unit of City National Bank of Los Angeles.. 




34 


Data Security Incidents — 2005 — Continued 

(As of 5/9, at least 35 incidents have been disclosed, potentially affecting more than 5.2 million individuals) 


Date 

Entity 

Affected 

03/25/05 

Northwestern University 

— Hackers broke into a graduate school server, exposing the Social 

21,000 


Security numbers of students, faculty, and alumni.. 


03/28/05 

San Jose Medical Group 

— Someone stole two computers that contained patient billing in- 

185,000 


formation, including names, addresses, Social Security numbers 
and confidential medical information.. 


03/28/05 


Unknown 


04/08/05 

Eastern National (vendor for National Park Service) 

— Hacker infiltrated its “eParks.com” computer system and may 

15,000 


have gained access to customer names, credit card numbers and 
billing addresses.. 


04/10/05 

Christus St. Joseph Hospital, Houston, Texas 

— Published reports on 4/26 said the hospital had sent letters to 

16,000 


16,000 patients saying their medical records and SSNs were 
comprised due to the theft of a computer in a January burglary.. 


04/10/05 


5,000 

— Published reports on 4/21 said the university had sent letters to 


more than 5,000 students, employees and graduates that their 
SSNs and other personal information was comprised in a breach 
of the school’s computer network that was discovered on 4/10.. 


04/12/05 

Tufts University 

— Announced it was sending letters to 106,000 alumni, warning of 

106,000 


“abnormal activity” on a computer that contained names, ad- 
dresses, phone numbers, and, in some cases, Social Security and 
credit card numbers.. 


04/13/05 


180,000 

— Credit card issuer sending letters to consumers who used Gen- 


eral Motors-branded MasterCards to make purchases at Polo 
Ralph Lauren, stating that criminals may have obtained access 
to their credit-card information.. 


04/19/05 

Ameritrade 

— Online discount broker reported it has notified current and 

200,000 


former customers that it has lost a backup computer tape con- 
taining their personal information.. 


04/23/05 

Georgia Southern University, Statesboro, GA 

— Associated Press reports on 4/28 that hackers broke into a GSU 

“Thousands” 


server that contained thousands of credit card and Social Secu- 
rity numbers collected over more than three years.. 


04/26/05 


(est.) 6,700 

— Engineering/construction company writes to employees, retirees, 


advising them that a hacker broke into the company’s computer 
system in February and might have stolen personal data, includ- 
ing SSNs and bank deposit information.. 


04/28/05 

Banks in New Jersey 

— NBC reports scheme by bank managers and employees who sold 

500,000 


personal data of about 500,000 holders of accounts of Bank of 
America, Wachovia, and Commerce Bank branches in New Jer- 


04/28/05 

sey. . 

Oklahoma State University 

— University begins notifying students and alumni about the theft 

Unknown 


of a laptop computer from the career services office that con- 
tained Social Security numbers, genders, ethnicities, class levels 
and e-mail addresses of most Stillwater and Tulsa campus stu- 
dents and recent alumni.. 


04/29/05 

Florida International University 

— Sun-Sentinel newspaper in Orlando reports on a “recent com- 

Unknown 


puter break-in” potentially compromising personal data of stu- 
dents, professors and staffers. A school official told the news- 
paper that electronic intruders apparently dialed into FIU’s com- 
puters from Europe.. 
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Data Security Incidents — 2005 — Continued 

(As of 5/9, at least 35 incidents have been disclosed, potentially affecting more than 5.2 million individuals) 


Date 

Entity 

Affected 

05/02/05 

Time Warner 

— Company announces that data on current and former employees 
stored on computer back-up tapes was lost by an outside storage 
company.. 

600,000 


Total — At least 35 incidents, potentially affecting more than 5,244,300 individuals. 


Senator Smith. Senator Inouye? 

Senator Inouye. Thank you very much. 

On the present laws and rules and regulations, I can have my 
telephone number unlisted to protect my privacy. I can also de- 
mand that spam callers be prohibited from using my number. Can 
I call upon your companies and say to take my name off your list? 

Mr. Sanford. We have a opt-out program that has restrictions 
on it. You could make a request to opt out of our non-public-record 
information databases if were a victim of identity theft, if you were 
a law enforcement official who has had some threat of risk of harm, 
or we have a general other category which says any other threat 
of risk of harm that you would show us. And that might be, say, 
for example, a domestic-abuse victim. 

Senator Inouye. In other words, you have the final say as to 
whether I can or cannot take it out? 

Mr. Sanford. That’s correct, Senator. 

Senator Inouye. Mr. Curling? 

Mr. Curling. Many of our products already are opt-in products 
driven by the FCRA. There are products that we offer that do have 
opt-out provisions — the direct-marketing products, et cetera. Some 
of our products, though, the ones, in particular, I think, the subject 
of this hearing, the public-record products, are products that there 
is not an opt-out on, except for a law enforcement or a government 
official opt-out. Those are generally not records that are, you know, 
unique to ChoicePoint. They are records that society has deter- 
mined to be open public records, and people typically turn to 
ChoicePoint merely to — for cost effectiveness and convenience to ac- 
quire that record. Those are records that we don’t source. We didn’t 
originate them. We merely extract them from where — government 
repositories and courthouses around the country, and we don’t have 
an opt-out provision for those. 

Senator Inouye. Thank you very much. 

Senator Smith. Thank you, Senator Inouye. 

Senator Bill Nelson? 

Senator Bill Nelson. Thank you, Mr. Chairman. 

And, before I forget it, I would like — because I’m not going to ask 
all the questions here — to submit a number of questions in writing, 
as did Senator McCain. 

Senator Smith. We will include those questions and ask for their 
answer. 

Senator Bill Nelson. Thank you. 

And thank you, Mr. Curling, for your response to the other Nel- 
son with regard to this Nelson’s legislation that is before this com- 
mittee saying that, generally, the concept of it, that you would sup- 
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port it. And I want to go over those six items, things like creating 
a government industry working group to help develop best prac- 
tices for safeguarding information, and creating an Assistant Sec- 
retary of Cybersecurity within the Department of Homeland Secu- 
rity, and tightening commercial usage of Social Security numbers. 
Those are things that certainly could be embraced. Is that accu- 
rate? 

Mr. Curling. Generally speaking, yes, Senator. 

Senator Bill Nelson. All right. How about requiring all of the 
information-broker companies to notify consumers when a security 
breach occurs? You’ve already answered that in relation to other 
questions, and you generally support that concept. 

Mr. Curling. Yes. 

Senator Bill Nelson. How about mandates in the law that all 
companies must reasonably protect sensitive consumer informa- 
tion? 

Mr. Curling. Yes, Senator. 

Senator Bill Nelson. And then having a one-stop shop? What- 
ever the regulatory agency — my suggestion is that it is the Federal 
Trade Commission, but this would be an Office of Identity Theft, 
where a consumer could get help to restore their identity. 

Mr. Curling. We would agree with the one-stop shop, and we 
agree with enhancing the FTC’s oversight. 

Senator Bill Nelson. All right. Now, that’s pretty much the 
comprehensive bill that Senator Schumer and I have filed. What do 
you think about that, Mr. Sanford? 

Mr. Sanford. Senator, it’s a — it is a very comprehensive bill. I 
believe the intent, in terms of helping consumers and stopping 
identity theft and fraud, is certainly welcome. I think the parts of 
the legislation that strike me as the most relevant, that I would 
encourage this Committee, is the national notification standard for 
consumers. I would encourage Federal preemption so that we don’t 
have competing notification standards in the market. I think data 
safeguards definitely modeled after GLBA, that flexible framework, 
I think, is the appropriate measure 

Senator Bill Nelson. For information brokers? 

Mr. Sanford. Well, I think — as I mentioned earlier, I think 
the — if you have personally identifying information, which, if it got 
in the wrong hands — and we could agree on what personally identi- 
fying information is — and that posed a risk of harm to individuals, 
then I would say if you are maintaining that database, and you 
have a breach, then notice — you should give notice to individuals 
when you have that breach. 

Senator Bill Nelson. But a law that would mandate that the 
companies must reasonably protect this sensitive consumer infor- 
mation? 

Mr. Sanford. I agree, Senator, that the safeguards that I have 
mentioned, in GLBA, I believe are the right — is the right frame- 
work. I think that would go a long way in protecting data for, not 
just us, but other people who maintain personally identifying infor- 
mation. 

Senator Bill Nelson. What do you think about the one-stop 
shopping? 
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Mr. Sanford. I’m not sure anybody could argue with additional 
help in oversight and funding for the Federal Trade Commission to 
help in identity theft. I know that Chairman Majoras testifies how 
many thousands of calls a week they get, and I’m sure that that 
would just be something that would be very helpful. 

Senator Bill Nelson. I’ve talked to her personally about it, and 
she is — without endorsing it, she is clearly very positively inclined. 

Let me ask Mr. Curling, because, my previous round, I had the 
chance to talk to Mr. Sanford. ChoicePoint has described itself as 
a “private intelligence service.” ChoicePoint markets itself as “sell- 
ing actionable intelligence.” Could you explain what this means for 
your company to be in the intelligence business, and explain how 
consumers would feel comfortable with that? 

Mr. Curling. Sure. I’m not sure that we characterized ourselves 
as a private intelligence agency. I believe that was an author of a 
book that characterized that. But we do — we do use 

Senator Bill Nelson. One of your staff yesterday told my staff 
attorney that it had been characterized that way. 

Mr. Curling. Well, I’ll have to have a conversation with my 
staff. But we are a company that provides identification and cre- 
dential verification solutions to principally commercial enterprises. 
And what we try and do is help them understand and manage the 
risks that they face. So, what we want to give them — as you’re 
aware, data is expensive to acquire and time-consuming to ana- 
lyze — what we want to give them is just the right information at 
the right time. So, our services are all oriented around things like 
helping an insurance company understand how to evaluate and 
price the risk of an applicant for auto insurance, so that consumer 
gets the insurance policy that they want at a price that’s fair for 
them; how to help a commercial employer do a background check 
on a prospective employee, so that that employee is able to get the 
job that they want, but the employer is able to effectively manage 
the risk that the society puts on them to know who’s engaged in 
their work force. That’s the kind of actionable intelligence that 
ChoicePoint products offer. 

Senator Bill Nelson. You have a product named AutoTrackXP, 
and it’s not subject to the Fair Credit Reporting Act, and it appears 
to contain some of the sensitive consumer information that is in 
other products that you admit are regulated, as are detailed and 
full credit reports. Explain to the Committee why ChoicePoint be- 
lieves that the AutoTrackXP is not regulated under the Fair Credit 
Reporting Act. 

Mr. Curling. Well, that’s a search engine, not really a report, 
but that product is used for investigative purposes. The largest cus- 
tomer set is law enforcement. But, again, as you’ve heard today in 
the testimony, there are other markets, like fraud prevention for 
insurance fraud research, as well as investigative research by com- 
mercial financial enterprises, that run searches to try and get in- 
formation back. For those customers, that search does contain sen- 
sitive, personally identifiable information. Since we’ve made the 
business changes to our business, we don’t offer that product with 
personally identifiable information in it to any segments other than 
law enforcement, large financial institutions, and insurance compa- 
nies. 
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Senator Bill Nelson. So, the theft that occurred by the Nige- 
rians faking the identity could not have occurred in that sensitive 
information. 

Mr. Curling. No, it did, in fact, occur in that sensitive informa- 
tion, but, as a result of that fraud, we have changed our product, 
and won’t offer — and do not offer that product to those parts of the 
market. 

Senator Bill Nelson. All right. And, if I may, just this last 
question. ChoicePoint has estimated that identity thieves obtained 
sensitive, personal information on about 145,000 people. I be- 
lieve — 

Mr. Curling. That’s correct. 

Senator Bill Nelson. — I believe that’s what you’ve stated. 

Mr. Curling. Yes. 

Senator Bill Nelson. Now, the L.A. Sheriffs Department esti- 
mates that figure to be four million. Can you explain why those fig- 
ures are so different? 

Mr. Curling. Sure. I think that the quoted number of four mil- 
lion was a very early estimate by the L.A. Sheriffs Department, 
going back to September or October of last year. That was long be- 
fore the investigation had actually gone through the searches that 
had been done, anybody had determined how many potentially af- 
fected consumers were affected by that. We’ve appointed Robert 
McConnell, a 28-year veteran of the Secret Service and, for the last 
5 years of his career, the head of the Federal Government’s Inter- 
agency Nigerian Organized Crime Task Force. I spoke with Robert 
yesterday. He has confirmed to me that L.A. Sheriffs Department 
now believes that our estimate is accurate. 

Senator Bill Nelson. Gentlemen, I look forward to working with 
you on this legislation. 

Senator Smith. Thanks, Senator Nelson. 

We’re pleased to be joined by Senator Kerry. We’ve completed a 
second round of questions, Senator. If you have an opening state- 
ment or questions for this first panel, we’ll be happy to 

STATEMENT OF HON. JOHN F. KERRY, 

U.S. SENATOR FROM MASSACHUSETTS 

Senator Kerry. Thank you, Mr. Chairman. No, I apologize for 
being late, but we had competing meetings, as is always the case 
here. I apologize to the witnesses. 

I’ve tried to get an update as fast as possible so I’m not overly 
repetitive here. And I know a lot of questions, good questions, have 
been asked. 

Obviously, from the participation here today, you can get a sense 
of the importance. But you already knew that before you came 
here, because of the outcry, publicly, and the concerns that people 
are expressing. And the moving, sort of, model statewide, beginning 
with California, of regulation is, obviously, an indication of people’s 
desire to do something. 

I understand your business models, and I understand that the 
information you provide is, obviously, often used for very valid pur- 
poses, but, as we move forward, the question of how to protect this 
is, needless to say, critical. During the campaign last year, and I 
think it came to fruition yesterday or today, President Bush and 
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I both talked about e-medical records and the need to try to reduce 
costs in the medical system. And, obviously, that’s critical. And I 
just wonder if you could share with us a little bit, sort of, first of 
all, what types of personal information currently do your — do you 
maintain in your product lines, including information based on bio- 
metrics, DNA, and medical records? 

Mr. Curling? 

Mr. Curling. We don’t maintain any data on biometrics, DNA, 
or medical data. The data 

Senator Kerry. Might you, as this opens up now with a certain 
amount of money? I mean, is this not a lucrative business prospect? 

Mr. Curling. I don’t know whether it’s a lucrative business pros- 
pect or not, but it’s not an area where we have a lot of expertise 
or traction. We do have a DNA laboratory that supports our law 
enforcement initiatives, but that laboratory, Bode Labs, merely 
takes specimens on behalf of law enforcement agencies, processes 
the DNA, maintains chain of custody, and turns that back over to 
them for forensic purposes. Our scientists have been to the — Thai- 
land to work on the tsunami. We identified the victims of the 
World Trade Center tragedy through that laboratory. But it’s a fo- 
rensic-science laboratory that’s really an extension of the services 
we do to support law enforcement, not a business — part of our busi- 
ness model that we necessarily embrace. 

I think it is possible that the identifiers that we all begin to see 
used more in our society are perhaps biometric identifiers you’re 
seeing today, technological solutions beginning to be deployed. 
They use authentications exceeding User IDs and passwords, and 
incorporating things like biometrics. But that’s not something that, 
in the industry that I’m in, is in heavy use today. 

Senator Kerry. Mr. Sanford? 

Mr. Sanford. We don’t collect medical information, Senator, or 
biometrics, or DNA, either. 

Senator Kerry. What about that information, Mr. Curling, that 
you do collect, in terms of the forensic chain-of-custody — is there 
any intrusive link in there that should be of concern? 

Mr. Curling. No, sir. That data doesn’t get — the data reposi- 
tories in ChoicePoint are generally housed at the product level. 
None of the information in Bode Laboratories, which is in Spring- 
field, Virginia, goes out of the laboratory into other places in 
ChoicePoint. 

Senator Kerry. When you say you changed your business model, 
and essentially have tightened procedures, what loopholes did you 
tighten? 

Mr. Curling. Well, I don’t know that I would say we tightened 
loopholes. We made business decisions that we thought were in the 
best interest of our company, given the experiences that we’ve had, 
and they were basically twofold. One, there are businesses that are 
hard to credential. Those are small businesses. And, given that the 
preponderance of our revenue is in large, either government con- 
tracts, or government — or commercial enterprises, small businesses 
are simply something that’s awful hard for us to adequately cre- 
dential and ensure that we know exactly who, on the other end, is 
buying the information products. We chose to exit the market of 
selling sensitive, personal information to those businesses, even 
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though they have legitimate business interests to get at. And, you 
know, certainly small businesses face many of the challenges that 
big businesses do. 

Second, there are products that we sell that, while legal, don’t 
have direct consumer benefit. And so, we chose to not sell to cer- 
tain segments of the marketplace, sensitive, personal data that 
they’re legally entitled to get, but they don’t fit our business model. 

Senator Kerry. Was that small-business change specifically in 
response to the Nigerian 

Mr. Curling. Yes, it was. 

Senator Kerry. It was, OK. 

Is it your judgment now that those two problems were the only 
two problems? Or are you taking further steps that we should be 
aware of? 

Mr. Curling. Well, our investigations, and those of law enforce- 
ment, continue. There’s — you know, we tend to think of security 
risks in five different categories — you know, basic physical-posses- 
sion risk, which you can think of as common burglary or the — just 
loss of data; second, the hacking potential — and we have, like most 
in our industry, you know, monitoring software and extensive tools 
to try and monitor and track, and preventing hacking attempts; 
you have properly credentialed customers that have an employee 
that does a search they’re not permitted to do, you know, the typ- 
ical scenario of doing a background check on somebody’s girlfriend 
or neighbor; you have properly credentialed customers that lose 
track of passwords and User IDs, which you’ve already heard of — 
testimony today; and then, last, you have, you know, customers 
that get past credentialing procedures that simply should not have 
been credentialed as customers, and that’s the experience we most 
recently had, where the notices were driven by. 

Senator Kerry. With respect to the law enforcement agencies, I 
gather you sell information to about 7,000 agencies. Is that correct? 

Mr. Curling. We serve 7,000 agencies. A lot of those don’t buy 
data. They’re buying software or tools from us. 

Senator Kerry. So, is there any limitation on the sale of that in- 
formation to law enforcement? 

Mr. Curling. Well, we’re limited by the type of information we’re 
able to legally obtain from the repositories. The States have laws, 
as does the Federal Government, about what data can be sold and 
under what conditions it can be used. 

Senator Kerry. So, that’s established by the States. 

Mr. Curling. And by Federal Government. But, Senator, large- 
ly — and, as I testified earlier today, largely the Federal agencies 
are turning to us to buy otherwise readily available public-record 
information. They’re merely turning to us for convenience and cost- 
effectiveness. 

Senator Kerry. And which law enforcement agencies do you cur- 
rently sell this — what I assume can be termed sensitive consumer 
information? 

Mr. Curling. We sell to a wide variety of Federal — we serve 
most of the Federal law enforcement agencies, and many State and 
local law enforcement agencies. 

Senator Kerry. Is there any standard of probable cause? 
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Mr. Curling. There are — we have circumstances under which 
they inform us they want to buy data for investigations, but we’re 
not privy, nor would you want us to be, to the actual investigations 
those law enforcement agents are conducting. 

Senator Kerry. So, it’s an automatic affirmative response for in- 
formation. 

Mr. Curling. In most cases, yes, sir. 

Senator Kerry. No matter what. 

A few years ago, you acquired VitalChek, which is a company re- 
sponsible for handling vital records — birth, death, marriage, di- 
vorce — in all 50 states. How is that information shared with 
ChoicePoint? 

Mr. Curling. It’s not. That’s an ordering and payment platform 
where a consumer orders a vital record directly from a vital-records 
office. We provide a technology infrastructure to those vital-records 
offices. They receive the customer order, they pull the vital record, 
and they deliver it through secured carrier, directly back to the 
consumer. The records never come through ChoicePoint. 

Senator Kerry. So, there’s no transfer of any of that information 
outside of VitalChek, itself. 

Mr. Curling. No, sir. 

Senator Kerry. Do both of you accept the premise that I think 
has been bouncing around here today that reasonable security 
standards ought to apply universally to any custodian of sensitive, 
personal information? 

Mr. Sanford. Yes, Senator. 

Senator Kerry. And Mr. Curling? 

Mr. Curling. Yes. 

Senator Kerry. Well, I think most of the other questions were 
touched on. Let me just ask you, for my own edification, How do 
you collect and maintain, store, and protect the information? 
What’s the process by which you do that, if you could go through 
that? 

Mr. Curling? How do you collect the information and maintain it 
and store it? How do you go about that? 

Mr. Curling. It varies widely by market. In the largest market 
we serve, which is the insurance market, we gateway directly to 
states to get motor-vehicle records and driver’s-license records, in 
most cases, and we deliver those back directly to our insurance cus- 
tomers an application at a time. So an application comes in, we 
break that application down against some decision rules the insur- 
ance company has given us, and then we begin to buy information 
products. Sometimes we — their products that we database and 
warehouse, sometimes we go gateway to them. 

Senator Kerry. Do you gateway to credit-check companies, credit 
companies? 

Mr. Curling. We do. 

Senator Kerry. Do you see any distinction between the informa- 
tion that you use and sell, and the information that’s on some- 
body’s credit record? 

Mr. Curling. In many cases, from a regulatory standpoint, 
there’s not a difference. We are a consumer reporting agency gov- 
erned by the FCRA in many of the information products we have. 
The insurance products would be FCRA products. We would be 
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treated similar to a credit-reporting company. The same is true for 
our pre-employment workplace solutions products and our tenant 
screening products. 

Senator Kerry. Do you think, from a legal point of view, that 
any individual in America, as a citizen, has a proprietary interest 
in their own information? 

Mr. Curling. I think citizens are obviously very concerned about 
the data 

Senator Kerry. Proprietary information, proprietary interest. In 
other words, should you be trafficking in their information, and 
they have no participation in the process? 

Mr. Curling. Again, the majority of our transactions that con- 
tain sensitive consumer information are initiated directly by con- 
sumers, so the transaction would not happen if a consumer hadn’t 
initiated it. 

Senator Kerry. But, of course, that depends on knowledge, right? 

The knowledge standard. I mean, the opt-in 

Mr. Curling. Well, they 

Senator Kerry. — or out, whether they know or don’t know 

Mr. Curling. Well, they applied for an automobile insurance pol- 
icy, and, on the application 

Senator Kerry. But they didn’t apply to have their information 
go to you to be winning you a profit for the transfer of whatever 
their life is, did they? 

Mr. Curling. I wouldn’t know, Senator. 

Senator Kerry. Mr. Sanford? 

Mr. Sanford. I don’t believe that a proprietary standard is work- 
able. We use public-record information to provide very vital serv- 
ices that 

Senator Kerry. Is 

Mr. Sanford. — actually help consumers 

Senator Kerry. — is the information of a credit company public 

record, or is it private 

Mr. Sanford. We are not 

Senator Kerry. — privately held 

Mr. Sanford. — we don’t collect 

Senator Kerry. — on a specific kind of contract relationship, the 
contract between the individual and that particular entity? 

Mr. Sanford. Yes. We do not collect financial or credit informa- 
tion on individuals, so we’re not in that business. 

Senator Kerry. Mr. Curling, what about that? Is it specifi- 
cally — 

Mr. Curling. I’m not an expert in the Fair Credit Reporting Act, 
but I believe that a consumer — a credit-reporting agency has opt- 
in and opt-out, both provisions, on it with respect to certain uses 
of their products. And, in many cases, our products are regulated 
by the FTC under FCRA, just as they are. 

Senator Kerry. Well, I think one of the things, Mr. Chairman, 
we’re going to have to think through very carefully as we go for- 
ward is, sort of, what is the level of knowledge and options avail- 
able to anybody as to how far and how wide their information goes. 
I think that’s central to this. And I thank you. 

Senator Smith. Thank you, Senator Kerry. 
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We do need to go to our second panel, but Senator Nelson has 
one final brief, burning question. 

Senator Bill Nelson. Yes. And I think this will illustrate the ex- 
tent to which information can be covered. 

Both of you have indicated that you don’t collect and store med- 
ical records. Isn’t that correct? 

Mr. Curling. That’s correct. 

Mr. Sanford. That’s correct, Senator. 

Senator Bill Nelson. Well, for example, Mr. Curling, you said 
you specifically represent, as clients, insurance companies. 

Mr. Curling. We do. 

Senator Bill Nelson. So, some of those are life-insurance com- 
panies. 

Mr. Curling. No. Mostly property and casualty, sir. I should 
have been more specific. Auto and home insurance. 

Senator Bill Nelson. No life insurance companies. 

Mr. Curling. No, sir. We have — may have some life-insurance 
customers in the marketing business, but we don’t do underwriting 
of life-insurance products. 

Senator Bill Nelson. Well, if you represent life-insurance com- 
panies — and you’re saying you don’t — they have the medical 
records 

Mr. Curling. That is not 

Senator Bill Nelson. — for someone getting a life-insurance pol- 
icy that they require a physical exam. 

How about you, Mr. Sanford? Do you represent any life-insurance 
companies? 

Mr. Sanford. We have life-insurance companies who are cus- 
tomers, but not in the medical-records business. For example, the 
legal departments of insurance corporations. But we don’t collect 
medical records, we don’t underwrite insurance, we don’t have a 
business that does that. 

Senator Bill Nelson. You said, last October, that you bought a 
Florida company, in Boca Raton, named Seisint. Seisint has a pro- 
gram called Matrix. It’s one of the most extensive tools that is used 
by law enforcement. As a matter of fact, the officials of that com- 
pany told me, within a few days after September 11, that they 
could determine who were the hijackers, who were the perpetrators 
of September 11. That information, how do you protect that infor- 
mation? 

Mr. Sanford. The Matrix program was a federally funded pilot, 
which has ceased. I believe it stopped last month, actually. Matrix 
is a — was a search engine that allowed law enforcement to search 
our services for public-record information, and they could also, at 
the same time, search their own databases. We did not maintain 
or manage that. That was managed, I believe, by the Florida De- 
partment of Law Enforcement on behalf of the other States that 
participated in that. 

Senator Bill Nelson. And so, that system wouldn’t have any bi- 
ometric information, no DNA information, no medical information? 

Mr. Sanford. Again, the Matrix program, our participation in it, 
is to share our technology and access to our data. What the State 
law enforcement organizations are searching, I believe, are things 
like sexual offender databases, correction records, arrest records 
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when they’re trying to locate a suspect. I’m not aware — I’ll be g;lad 
to check with my staff and get back to you if there was any medical 
information, access to that. I don’t believe there was. 

Senator Bill Nelson. Blood types, diseases, scars, identification 
marks, et cetera, et cetera. 

Mr. Sanford. I’ll have to get back to you, Senator. 

Senator Bill Nelson. I would appreciate it very much. 

Senator Bill Nelson. Mr. Chairman, I think you see the concern 
welling up here of the extent of which if these folks, which, thank- 
fully, you all are very, very accommodating here to want to help 
us develop this legislation, but if we are not successful, you can see 
that no one in America is going to have any privacy left if people 
can invade your databases. You say you want to present — prevent 
that. That’s what we’re trying to do. 

Thank you very much. 

Senator Kerry. Could I just have one quick follow-up? 

Senator Smith. You bet, absolutely. 

Senator Kerry. Would either of you sell to a political committee? 

Mr. Sanford. I think you — Senator, we have legal research busi- 
ness, news and business information services. There’s nothing that 
would stop them from having access. I don’t think they would qual- 
ify for a permissive use under GLBA or the DPPA, though. I mean, 
those are around fraud detection and prevention and law enforce- 
ment type of permissive uses. 

Senator Kerry. But is there anything to stop a committee from — 
have you sold anything to a political 

Mr. Curling. Not that I’m aware of, no, Senator. 

Senator Kerry. But could they buy it? 

Mr. Curling. I don’t believe that’s a customer segment we serve. 

Senator Kerry. But could they? 

Mr. Curling. I don’t believe they would get credentialed. But I 
can find out. I’m not — It’s not a question I’ve heard before. But I 
don’t believe — I’ve never heard — I’ve been around with the com- 
pany — 

Senator Kerry. Well, do you have a 

Mr. Curling. — since its inception, and 

Senator Kerry. — do you have a means of checking, sort of, 
the 

Mr. Curling. We have a business-purpose criteria upon which 
we’ll enroll people as customers. I don’t believe political committees 
meet the business purpose; therefore, I don’t believe we would set 
up a customer 

Senator Kerry. What about a 

Mr. Curling. — account for them. 

Senator Kerry. — political consultant who’s doing sophisticated 
political analysis 

Mr. Curling. We don’t 

Senator Kerry. — polling analysis? 

Mr. Curling. I don’t believe they’re customers of ours, nor do I 
believe we’d serve them. 

Senator Kerry. You don’t believe. But there’s no set of guidelines 
with respect to 

Mr. Curling. I’m trying to be very specific. There are very spe- 
cific guidelines about who we serve as customers. I’ve never heard 
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of this customer segment being anybody we serve. The preponder- 
ance of our customers are large insurance companies, large finan- 
cial institutions trying to process transactions so a consumer can 
get some kind of benefit — an insurance policy, a job — large retailers 
or large customers of ours. We don’t have very many customers 
that aren’t in the large commercial space or government enter- 
prises. 

Senator Bill Nelson. May I ask a follow-up on that? 

But if one of your large commercial customers asked for this in- 
formation, and you had some reason to know that they were going 
to use it for political purposes 

Mr. Curling. Our customers, by and large, have to send us — 
they’re asking questions an application at a time, so I’m not sure 
how they’d come in and ask that question, anyway. The most likely 
way they could present themselves is through the direct marketing 
business, where we don’t sell sensitive, personal identifiable infor- 
mation anyway. But, again, I’ll be happy to get back to the Senator 
and the Committee on that. I’m not aware this is a market we have 
any interest or any services to. 

Senator Smith. Like I said at the — earlier in the hearing, Sen- 
ator, this was a question that didn’t register Republican or Demo- 
crat, but maybe both sides are pretty interested now. 

[Laughter.] 

Senator Smith. But I think you raise 

Senator Kerry. Well, I’ve seen some pretty sophisticated anal- 
ysis based on those things. 

[Laughter.] 

Senator Smith. Yes. But in all seriousness, I think your point is 
well taken, and I think both sides do have an interest in making 
sure that people’s rights and privacy are protected. 

And so, we appreciate very much, gentlemen, your being here 
today and for the contribution you’ve made to our understanding 
of this issue and the kind of problem we’re trying to wrestle with 
and get some results for the American people. So, we thank you. 

And we’ll now call forward our second panel. It will consist of 
Ms. Jennifer T. Barrett, Chief Privacy Officer of Acxiom Corpora- 
tion, in Little Rock, Arkansas; Mr. Paul Kurtz, Executive Director 
of the Cyber Security Industry Alliance, Arlington, Virginia; Mr. 
Marc Rotenberg, President and Executive Director, Electronic Pri- 
vacy Information Center, in Washington, D.C.; and Ms. Mari 
Frank, of Mari J. Frank, Esquire, & Associates, of Laguna Niguel, 
California. 

Senator Pryor will introduce Ms. Barrett. Thank you all for being 
here. 

Senator Pryor. Thank you, Mr. Chairman. 

It’s really an honor for me to introduce to the Committee today 
Jennifer Barrett. She’s the Chief Privacy Officer at Acxiom Cor- 
poration. And I think that title is very significant, because, as I un- 
derstand it, Ms. Barrett was one of the first chief privacy officers 
anywhere in the Nation, and I think it underscores a commitment 
that this particular company has, of trying to find that balance be- 
tween privacy issues and also the burgeoning information age and 
the needs that we have there. 
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So, Acxiom is a company that was founded in 1969. I think she’s 
been with the company for a number of years — maybe not since the 
very beginning, but from the early days, at least. And it is based 
in Arkansas. And it employs more than 6,300 people in eight coun- 
tries, with an annual revenue of $1.2 billion. 

So, we’re fortunate in our State to have, really, the industry lead- 
er there, and we look forward to hearing her insights on this sub- 
ject matter today. 

Senator Smith. Ms. Barrett, why don’t we start with you? 

STATEMENT OF JENNIFER T. BARRETT, 

CHIEF PRIVACY OFFICER, ACXIOM CORPORATION 

Ms. Barrett. Thank you, Senator Smith and Senator Pryor. And 
thank you for allowing Acxiom the opportunity to participate in 
this important hearing. 

I ask that my written statement be inserted in the record. 

Senator Smith. Without objection. 

Ms. Barrett. Mr. Chairman, let me be blunt. The bad guys are 
smart, and they’re getting better organized and using their skills 
to illegally and fraudulently access information. Acxiom must, 
therefore, remain vigilant and innovative by constantly improving, 
auditing, and testing our systems — and, yes, even learning from se- 
curity breaches in the marketplace. Information is an integral part 
of the American economy, and Acxiom recognizes its responsibility 
to safeguard the personal information it collects and brings to mar- 
ket. 

As FTC Chairman Majoras recently stated in her testimony both 
before the Senate and the House, there’s no such thing as perfect 
security, and breaches can happen even when a company has taken 
every reasonable precaution. Although we believe this is true, no 
one has a greater interest than Acxiom in protecting the informa- 
tion we have, because our very existence depends on it and how 
well we do that. 

Acxiom’s U.S. business includes two distinct components, our 
computer services and a line of information products. Our computer 
services, which represent more than 80 percent of the company’s 
business, helps businesses, not-for-profit organizations, political 
parties, and government manage their own information. Less than 
20 percent of Acxiom’s business comes from its four information 
product lines — a fraud-management product line, background 
screening products, directory products, and marketing products. 
Our fraud management and background screening products are the 
only Acxiom products containing sensitive information, and they 
represent less than 10 percent of our business. 

Acxiom would like to take this opportunity to set the record 
straight in a number of misunderstandings that have developed 
about the company: 

First, Acxiom does not maintain one big database containing dos- 
siers on anyone. Instead, we maintain discreet, segregated data- 
bases for each product. 

Second, Acxiom does not commingle our clients’ information from 
our computer services business with our information products. 
Such activity would constitute a violation of our contracts and of 
consumer privacy. 
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Third, Acxiom’s fraud-management products are sold only to a 
handful of large companies and government agencies who have a 
legitimate need for them. The information utilized in these prod- 
ucts is covered under the Safeguards Rules and Use Rules of 
Gramm-Leach-Bliley, and both State and Federal driver privacy 
protection laws. 

Fourth, Acxiom’s fraud-management verification services only 
validate information already in the client’s possession. Access to 
additional information is available only to law enforcement and the 
internal fraud departments of large financial institutions and in- 
surance companies. 

Fifth, our background screening products are covered under the 
Fair Credit Reporting Act, and we do not pre-aggregate any of the 
information provided. 

Beyond these protections, there are additional safeguards that 
exist: 

First, because public information is blended with regulated infor- 
mation in both our fraud-management and background screening 
products, Acxiom voluntarily applies the more stringent security 
standard to all such blended data, even though not required to by 
law. 

Second, since 1997, Acxiom has posted its privacy policy on our 
website, describing our online and offline practices; thus, volun- 
tarily subjecting the company to FTC rules governing unfair or de- 
ceptive conduct. 

Third, the company has imposed our own internal, more restric- 
tive guidelines for the use of sensitive information such as Social 
Security numbers. 

Fourth, all of Acxiom’s information products and practices have 
been audited on an annual basis since 1997, and our security poli- 
cies are regularly audited, both internally and by many of our cli- 
ents. 

Two years ago, Acxiom experienced a security breach on one of 
our external file-transfer servers. Fortunately, the vast majority of 
information involved was of a nonsensitive nature, and law enforce- 
ment was able to apprehend the suspects and ascertained that 
none of the information was used to commit identity fraud. Since 
then, Acxiom has put in place even greater protections for the ben- 
efit of both consumers and our clients. 

In conclusion, ongoing privacy concerns indicate that the adop- 
tion of additional legislation may be appropriate. Acxiom supports 
efforts to pass federally preemptive legislation requiring notice to 
the consumers in the event of a security breach which places con- 
sumers at risk of identity fraud. Acxiom also supports the recent 
proposal from FTC Chairman Majoras for extension of the Gramm- 
Leach-Bliley Safeguards Rules. 

Senator Smith, on behalf of Acxiom, I want to express my grati- 
tude for the opportunity to participate in this hearing. I’ll be happy 
to answer any questions the Committee may have. 

[The prepared statement of Ms. Barrett follows:] 



48 


Prepared Statement of Jennifer T. Barrett, 

Chief Privacy Officer, Acxiom Corporation 

Summary 

Acxiom has an inherent responsibility to safeguard the personal information we 
collect and bring to the market, and we have focused on assuring the appropriate 
use of these products and providing a safe environment for this information since 
1991 when the company brought its first information products to market. 

Information has become an ever growing and ever more integral part of the Amer- 
ican economy. Information is the facilitator of convenience and competition, and it 
provides the tools that reduce fraud and terrorism. As such, we believe that it is 
Acxiom’s obligation to provide effective safeguards to protect the information we 
bring to market regardless of the difficulties encountered in doing so. 

Only Acxiom’s fraud management and background screening products involve the 
transfer of sensitive information. These products, therefore, are subject to law, regu- 
lations and our own company policies that help protect against misuse. 

GLBA and DPPA: Our fraud management products utilize information covered 
under the Gramm-Leach-Bliley Act (GLBA), and driver’s license information 
covered under both State and Federal driver’s privacy protection acts (DPP As). 
FCRA and FACTA: Our background screening products are covered by all of the 
regulations and consumer protections established by the Fair Credit Reporting 
Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA). 
Safeguarding Public Record Information: Although a heightened level of protec- 
tion is not mandated for public record information, by virtue of the fact that 
such public information is blended with regulated information, Acxiom volun- 
tarily chooses to apply the more stringent standards of the above-mentioned reg- 
ulations to the resulting products. 

Although Acxiom’s directory and marketing products do not contain any sensitive 
information that could put a consumer at risk for identity fraud, Acxiom is still sub- 
ject to the following critical safeguards: various industry guidelines, compliance with 
all requirements in the original notice to consumers at the time the data was col- 
lected, and voluntary compliance with those laws to which our clients themselves 
are subject. 

There has been much discussion, especially in recent weeks, about whether exist- 
ing Federal law sufficiently protects consumers from harm. In this regard, Acxiom 
does believe that additional, appropriately tailored measures, such as Federal pre- 
emptive legislation requiring notice to consumers in the event of a security breach, 
would assist Acxiom, the rest of the information services industry and businesses 
in general in ensuring that consumers are protected from fraud and identity theft. 
But, as FTC Chairman Majoras has said, even the best security systems imaginable 
and the strongest laws possible can nonetheless be circumvented by inventive crimi- 
nals’ intent on committing fraud. 

Introduction 

Chairman Stevens, Senator Inouye, and distinguished members of the Committee, 
thank you for holding this hearing to explore the treatment of data broker services 
under existing State and Federal laws as well as possible solutions to the crime of 
identity theft. Acxiom appreciates the opportunity to participate in today’s hearing. 

Acxiom has an inherent responsibility to safeguard the personal information we 
collect and bring to the market, and we have focused on assuring the appropriate 
use of these products and providing a safe environment for this information since 
1991 when the company brought its first information products to market. 

It is important that we all recognize that information has become an ever growing 
and ever more integral part of the American economy. Information is the facilitator 
of convenience, competition and provides the tools that reduce fraud and terrorism. 
As such, we believe that it is Acxiom’s obligation to provide effective safeguards to 
protect the information we bring to market regardless of the difficulties encountered 
in doing so. 

Let me be blunt. The bad guys are smart and getting more organized. They will 
use all of the skills available to them to try to find ways to obtain the information 
they need to commit fraud. Acxiom must therefore remain vigilant and innovative, 
and that is why we employ a world-class information security staff to help us fend 
off criminals who attempt to access Acxiom’s data. Acxiom is constantly improving, 
auditing and testing its systems. Yes, Acxiom is even learning from security 
breaches when they occur, and we are certain that other responsible companies are 
doing so as well. 
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As Chairman Deborah Majoras of the Federal Trade Commission recently stated 
in her testimony before the Senate, “[T]here is no such thing as perfect security, 
and breaches can happen even when a company has taken every reasonable pre- 
caution.” Even though we believe that this is true, no one has a greater interest 
than Acxiom in protecting information because the company’s very existence de- 
pends on securing personal information pertaining to consumers. 

In order to enjoy the benefits provided by a robust information-based economy and 
also to keep our citizens safe from fraudulent activity, there are no quick fixes or 
easy solutions. We believe that it is necessary that cooperation exists among policy 
makers, information service providers, Acxiom’s clients, law enforcement and con- 
sumers. We applaud your interest in exploring these issues and we very much want 
to be a resource in helping you achieve the proper legislative balance we all seek. 

About Acxiom Corporation 

Founded in 1969, Acxiom is headquartered in Little Rock, Arkansas, with oper- 
ations throughout the United States, and with processing centers in Arkansas, Illi- 
nois, Arizona, Ohio and California. The company also has offices in nine other coun- 
tries across Europe and Asia. From a small company in Arkansas, Acxiom Corpora- 
tion has grown into a publicly traded corporation with more than 6,000 employees 
worldwide 

Acxiom’s U.S. business includes two distinct components: customized computer 
services and a line of information products. Acxiom’s computer services represent 
the vast majority of the company’s business and they include a wide array of leading 
technologies and specialized computer services focused on helping clients manage 
their own customer information. These services are offered exclusively to large busi- 
nesses, not-for-profit organizations, political parties and candidates, and government 
agencies. Acxiom’s private sector computer services clients represent a “who’s who” 
of America’s leading companies. Acxiom helps these clients improve the loyalty of 
their customers and increase their market share, while reducing risk and assisting 
them with their compliance responsibilities under State and Federal law. Finally, 
Acxiom helps government agencies improve the accuracy of the personal information 
they currently hold. 

The balance of Acxiom’s business comes from information products that are com- 
prised of four categories: fraud management products, background screening prod- 
ucts, directory products and marketing products. These four product lines represent 
less than 20 percent of the company’s total business and the fraud management and 
background screening products represent less than 10 percent. While each product 
plays a unique role, all of Acxiom’s information products help fill an important gap 
in today’s business-to-consumer relationship. 

To understand the critical role Acxiom plays in facilitating the Nation’s economy 
and safeguarding consumers, it is important to understand what the company does 
not do. Over the years, a number of myths have developed about Acxiom that re- 
quire clarification. Please allow us to set the record straight: 

• Acxiom does not maintain one big database that contains detailed information 
about all individuals. Instead, the company safeguards discrete databases devel- 
oped and tailored to meet the specific needs of Acxiom’s clients — entities that 
are appropriately screened and with whom Acxiom has legally enforceable con- 
tractual commitments. I cannot call up from the company’s databases a detailed 
dossier on myself or any individual. 

• Acxiom does not provide information on particular individuals to the public, 
with the exception of Acxiom’s telephone directory products. These products, 
which are available on several Internet search engines, contain information al- 
ready available to the public. The other information Acxiom processes is pro- 
vided only to legitimate businesses for specific, legitimate business purposes. 

• Acxiom’s does not have any information in either its directory or marketing 
products which could be used to commit identity fraud. Acxiom also does not 
include detailed or specific transaction-related information, such as what pur- 
chases an individual made on the Internet or what websites they visited. The 
company’s directory products include only name, address, and telephone infor- 
mation. The company’s marketing products include only information that is gen- 
eral in nature and not specific to an individual purchase or transaction. 

• Acxiom does not commingle client information that the company processes in its 
computer services business with any of our information products. Such activity 
would constitute a violation of the company’s services contracts with those cli- 
ents and a violation of consumer privacy. A client for whom the company per- 
forms services may have a different agreement with us as a data contributor, 
but these two relationships are kept entirely separate. 
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Acxiom’s fraud management products are sold exclusively to a handful of large 
companies and government agencies — they are not sold to individuals. The com- 
pany’s verification services only validate that the information our client has ob- 
tained from the consumer is correct. Only law enforcement, government agencies 
and the internal fraud departments of large financial institutions and insurance 
companies have access to additional information. 

Acxiom’s background screening products provide employment and tenant screen- 
ing services which utilize field researchers who do in-person, real-time research 
against public records and make calls to past employers to verify the information 
provided by the consumer. Where permitted by law, a pre-employment credit report 
can also be obtained. Acxiom does not pre-aggregate information for these products. 

Acxiom’s directory information products contain only contact information on con- 
sumers such as name, address and telephone number. They are collected so busi- 
nesses and consumers can locate other businesses or consumers. They are compiled 
from the white and yellow pages of published U.S. and Canadian telephone direc- 
tories and from information available from the various directory assistance services 
provided by the telephone companies. 

Acxiom’s marketing information products provide demographic, lifestyle and inter- 
est information to companies to reach prospective new customers who are most like- 
ly to have an interest in their products and to better understand and serve the 
needs of existing customers. They are compiled from pubic records, surveys and 
summarized customer information primarily from publishers and catalogers. 

Respecting and Protecting Consumers’ Privacy 

Acxiom has a longstanding tradition and engrained culture of protecting and re- 
specting consumer interests in our business. The company is today, and always has 
been, a leader in developing self-regulatory guidelines and in establishing security 
policies and privacy practices. There are, as explained below, numerous laws and 
regulations that govern our business. Ultimately, however, Acxiom’s own com- 
prehensive approach to information use and security goes far beyond what is re- 
quired by either law or self-regulation. 

Safeguards Applicable to Products Involving the Transfer of Sensitive Information 

Only Acxiom’s fraud management and background screening products involve the 
transfer of sensitive information. These products, therefore, are subject to law, regu- 
lations and our own company policies that help protect against identity fraud. These 
legal protections and additional safeguards are addressed below: 

GLBA, DPPAs, and FTC: Our fraud management products utilize information 
covered under the Gramm-Leach-Bliley Act (GLBA), and driver’s license infor- 
mation covered under both State and Federal driver’s privacy protection acts 
(DPPAs). These obligations include honoring GLBA and DPPA notice and choice 
related to sharing and use of the information, the GLBA Safeguard Rules and 
FTC Privacy Rule and Interagency Guidelines. Any uses of data must fall with- 
in one of the permitted uses or exceptions specified in these laws. 

FCRA and FACTA: Our background screening products are covered by all of the 
regulations and consumer protections established by the Fair Credit Reporting 
Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA). These 
protections include: the requirement that a consumer authorize the creation of 
employment reports; notice of adverse actions taken based on such report; and 
the right of consumers to obtain a copy of such reports and to dispute inaccura- 
cies. Finally, such regulations require that re-verification or correction of dis- 
puted information be performed in a timely manner. 

Safeguarding Public Record Information: Public records are used in both 
Acxiom’s fraud management and background screening products. Although a 
heightened level of protection is not mandated for such public record informa- 
tion, by virtue of the fact that such public information is blended with regulated 
information, Acxiom voluntarily chooses to apply the more stringent standards 
of the above-mentioned regulations to the resulting products. 

Safeguards Applicable to Other Products 

Although Acxiom’s directory and marketing products do not contain any sensitive 
information that could put a consumer at risk for identity fraud, Acxiom is still sub- 
ject to the following critical safeguards: various industry guidelines, compliance with 
all requirements in the original notice to consumers at the time the data was col- 
lected, and voluntary compliance with those laws to which our clients themselves 
are subject. 
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Telephone Directory Safeguards: Acxiom’s directory products comply with all ap- 
plicable policies regarding unpublished and unlisted telephone numbers and ad- 
dresses. In addition, because Acxiom recognizes that consumers may object to 
published listings being available on the Internet, Acxiom itself offers an opt- 
out from such use. Further, Acxiom voluntarily suppresses all telephone num- 
bers found on the Federal Trade Commission’s Do-Not-Call Registry and the 
eleven other State Do-Not-Call registries, when providing phone numbers for 
targeted telemarketing purposes. 

Marketing Product Safeguards: Acxiom’s marketing products comply with all 
the self-regulatory guidelines issued by the Direct Marketing Association. These 
requirements include notice and the opportunity to opt-out. Consumers have the 
ability to opt-out from Acxiom’s marketing products by calling the company’s 
toll-free Consumer Hotline, accessing its website, or by writing to the company. 
Since Acxiom does not have a customer relationship with individual consumers, 
Acxiom coordinates with its industry clients to research and resolve consumer 
inquiries. 

Additional Safeguards 

Acxiom takes seriously its responsibility to assure that all the information we 
bring to market is appropriate for the use to which it is intended and to provide 
adequate safeguards specifically aimed at protecting against unauthorized use. 

Privacy Policy I FTC Jurisdiction: Since 1997, long before it was a common prac- 
tice, Acxiom has posted its privacy policy on the company’s website. The privacy 
policy describes both Acxiom’s online and offline consumer information products. 
The policy further describes: what data Acxiom collects for these products; how 
such data is used; the types of clients to which such data is licensed; as well 
as the choices available to consumers as to how such data is used. By making 
these extensive disclosures, Acxiom has voluntarily subjected itself to Section 5 
of the Federal Trade Commission Act, which prohibits unfair or deceptive con- 
duct in the course of trade or commerce, as well as various State statutes gov- 
erning unfair and deceptive acts and practices. 

Consumer Care Department / Consumer Hotline: Acxiom maintains a Consumer 
Care Department led by a Consumer Advocate whose team interacted with 
more than 50,000 consumers in the past 12 months by way of answering ques- 
tions, resolving issues, processing opt-outs, and handling requests for access to 
Acxiom’s fraud management, background screening, directory and marketing 
products. Acxiom provides consumers who contact the company (through the 
company website, or by calling a toll-free Consumer Hotline or by writing to the 
company) the options of: opting-out of all of Acxiom’s marketing products; re- 
ceiving an information report from the company’s fraud management and direc- 
tory products; or receiving a consumer report as specified in the FCRA from the 
company’s background screening products. Acxiom encourages consumers to no- 
tify the company if the information in any of these reports is inaccurate and 
it is the company’s policy either to correct the information, to delete it or to 
refer the consumer to the appropriate source to obtain the requested correction, 
such as a county or State agency. 

Certification and Compliance with Federal and State Law: Acxiom’s privacy pol- 
icy is designed to adhere to all Federal, State, and local laws and regulations 
on the use of personal information. The company is also certified under the De- 
partment of Commerce’s European Union Safe Harbor and the Better Business 
Bureau’s Online Seal. 

Consumer Education: Acxiom believes that consumers should be educated about 
how businesses use information. To that end, Acxiom publishes a booklet, enti- 
tled “Protecting Your Privacy in the Information Age — What Every Consumer 
Should Know About the Use of Individual Information which is available for 
free both on the company’s website and upon written or telephone request. 
Voluntary Acxiom Policies: Above and beyond the industry-accepted guidelines 
with which Acxiom complies, Acxiom also has established its own internal 
guidelines, which are more restrictive than industry standards. For example, 
Acxiom only collects the specific information required to meet its clients’ infor- 
mation needs, and the company properly disposes of the remaining data, when 
information is compiled from public records. Acxiom has also implemented spe- 
cific guidelines regarding the use and protection of information that could be 
involved in identity fraud, such as Social Security numbers. 

Information Practice and Security Audits: Acxiom has had a longstanding focus 
on the appropriate use of information in developing and delivering its informa- 
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tion products. While the creation of strong information use policies is a business 
imperative, assuring these policies are followed is equally important. To this 
end, all of Acxiom’s information products and practices have been internally and 
externally audited on an annual basis since 1997. 

Since many of Acxiom’s computer service clients are financial institutions and 
insurance agencies, Acxiom has been regularly audited for many years by these 
clients. Furthermore, Acxiom must honor the safeguards and security policies 
of the company’s clients. Since Acxiom’s security program is enterprise-wide, it 
is the company’s policy to institute these high levels of protection across all 
lines of business. These client audits, along with Acxiom’s own internal security 
audits, provide Acxiom with regular and valuable feedback on ways to stay 
ahead of hackers and fraudsters who may attempt to gain unauthorized access 
to Acxiom’s systems. 

Lessons Learned 

Two years ago, Acxiom experienced a security breach on one of the company’s ex- 
ternal file transfer servers. The hackers were employees of an Acxiom client and a 
client’s contractor. As users with legitimate access to the server, the hackers had 
received authority to transfer and receive their own files. The hackers did not pene- 
trate the firewalls to Acxiom’s main system. They did, however, exceed their author- 
ity when they accessed an encrypted password file on the server and successfully 
unencrypted about 10 percent of the passwords, which allowed them to gain access 
to other client files on the server. Fortunately, the vast majority of the information 
involved in this incident was of a non-sensitive nature. 

Upon learning of the initial breach from law enforcement, Acxiom immediately no- 
tified all affected clients and, upon further forensic investigation, the company in- 
formed law enforcement regarding a second suspected security incident. Fortu- 
nately, in both instances, law enforcement was able to apprehend the suspects, re- 
cover the affected information and ascertain that none of the information was used 
to commit identity fraud. One of the hackers pled guilty and was recently sentenced 
to 48 months in Federal prison. The other is currently awaiting trial. 

As a result of the breach, Acxiom cooperated with audits conducted by dozens of 
its clients, and both the Federal Trade Commission and the Office of the Comp- 
troller of the Currency examined Acxiom’s processes to ensure that the company 
was in compliance with all applicable laws and its own stated policies. 

This experience taught Acxiom additional valuable lessons regarding the protec- 
tion of information. For example, Acxiom now requires the use of more secure pass- 
words on the affected server. The process for transferring files has been changed, 
specifically by keeping information on the server for much shorter periods of time. 
And while it was always a recommended internal policy, Acxiom now requires that 
all sensitive information passed across such servers be encrypted. In addition, while 
Acxiom has had in place a Security Oversight Committee for many years, the com- 
pany has also now appointed a Chief Security Officer with more than 20 years of 
IT experience. In short, Acxiom’s systems are more secure today as a result of the 
company’s experience and dedication to the privacy of consumers. 

The Need For Additional Legislative Safeguards 

There has been much discussion, especially in recent weeks, about whether exist- 
ing Federal law sufficiently protects consumers from harm. In this regard, Acxiom 
does believe that additional, appropriately tailored legislation would assist Acxiom, 
the rest of the information services industry and businesses in general in ensuring 
that consumers are protected from fraud and identity theft. But, as FTC Chairman 
Majoras has said, even the best security systems imaginable and the strongest laws 
possible can nonetheless be circumvented by inventive criminals’ intent on commit- 
ting fraud. 

Breach Notification: Acxiom supports efforts to pass Federal preemptive legisla- 
tion requiring notice to consumers in the event of a security breach, where such 
breach places consumers at risk of identity theft or fraud. California imple- 
mented similar legislation several years ago, and over thirty other states are 
involved in passing similar laws. The bottom line is that consumers deserve a 
nationwide mandate that requires that they be notified when they are at risk 
of identity theft, so they can take appropriate steps to protect themselves. 
Extension of the GLBA Safeguards Rule: Currently, Acxiom voluntarily subjects 
itself to the GLBA Safeguards Rule with respect to the company’s computer 
services and information products. Acxiom also complies with the California 
safeguards law (AB 1950). FTC Chairman Majoras recently has proposed an ex- 
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tension of the GLBA Safeguards Rule to the information services industry as 
a whole. Acxiom supports her recommendation. 

Mr. Chairman, Acxiom appreciates the opportunity to participate in this hearing 
and to assist Congress in identifying how best to safeguard the Nation’s information 
and data. Acxiom is available to provide any additional information the Committee 
may request. 

Senator Smith. Thank you, Ms. Barrett. 

Mr. Kurtz? 

STATEMENT OF PAUL B. KURTZ, EXECUTIVE DIRECTOR, 
CYBER SECURITY INDUSTRY ALLIANCE (CSIA) 

Mr. Kurtz. Thank you, Senator Smith. It’s a pleasure to be here 
today. Thank you for inviting the Cyber Security Industry Alliance 
to testify before this Committee. As Executive Director of CSIA, I’m 
pleased to speak about the importance of securing personal identity 
information. 

Prior to leading CSIA, I served for 16 years in the Federal Gov- 
ernment, 12 years at the State Department and 4 years at the 
White House, where I served on the National Security Council and 
the Homeland Security Council, working on counterterrorism and 
critical infrastructure protection. 

CSIA is an organization of 15 CEOs consisting of the world’s top 
security providers who offer the technical expertise and depth of 
focus and encourage a better understanding of cybersecurity policy 
issues. We believe ensuring the security, the integrity, and the 
availability of global information systems is fundamental to eco- 
nomic and national security. 

We need, simply, to come to terms with our reliance on informa- 
tion systems and the vast amount of personal information in stor- 
age and in transit in such systems. Our information systems must 
be secure and reliable — in particular, protecting personal informa- 
tion from unauthorized disclosure. We need a strategic approach 
that is more preventative or preemptive in nature, rather than 
largely reactive and defensive, as a recent CRS study on cyber secu- 
rity indicates. 

Every electronic breach of personal information is another reason 
for consumers to lose trust in our information systems. A recent 
survey conducted by the Poneman Institute revealed that 57 per- 
cent of consumers with high trust in their primary banks say they 
would cease all online services with their current bank in the event 
of a single security breach. The loss of trust or confidence in our 
information systems inhibits economic growth, the security of our 
citizens and Nation. 

CSIA believes the right approach to securing consumers’ personal 
data requires a blend of appropriate policies, technical expertise, 
and security technologies. Let me be clear, we are not mandating 
specific technology solutions. A key question before this Committee 
is defining the government’s role, whether directly or indirectly, in 
fostering the protection of personal information on information sys- 
tems owned and operated by the private sector. This Committee, 
rightfully, will also examine where the marketplace is succeeding 
at protecting personal information, and where it is failing. 

At this critical time of technology development and innovation, 
the United States, as an economic force and a global technology 
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leader, must carefully chart a public-policy approach to information 
security that continues to encourage innovation while also pro- 
viding protection. 

There is no silver-bullet approach solution. There are two funda- 
mental areas requiring protection: the storage of personal informa- 
tion, such as names, addresses, and Social Security numbers, and 
the movement of the data. Movement of the data amplifies the 
challenge of security, because it creates weak points, if you will, in 
the system. The movement of data makes it difficult to define the 
set of users who should take action to secure the personal informa- 
tion. 

So, what is the solution set? It involves a combination of tech- 
nologies, policies, and expertise. Key policies and technologies in- 
clude vetting employees, establishing and enforcing corporate secu- 
rity policies, encryption, auditing, monitoring, anti-virus, intrusion 
detection, and firewalls, strong authentication and access controls. 
These technologies, in particular, are critical, as passwords are in- 
herently weak and easily compromised. 

Market adoption of security technologies, however, is mixed. 
Some enterprises, however, are beginning to see security as a 
means to differentiate themselves from their competition. Congress 
should examine the protection of personal information more broad- 
ly than just the data brokers, as other organizations possess sig- 
nificant amounts of personal data. We have seen evidence of those 
breaches in recent days. 

In this context, CSIA recommends Congress consider the fol- 
lowing: 

Take a holistic approach to understanding what cybersecurity 
problems are, such as spyware, phishing, data-warehouse security. 
They are, in fact, all related. In each case, the target is personal 
information in order to commit electronic fraud. 

Two, harmonize any legislation with existing legislation at the 
Federal level, filling gaps rather than duplicating requirements al- 
ready contained in existing law. 

Use existing standards wherever possible, rather than creating 
new ones. 

Preempt State law, where appropriate, in order to avoid a patch- 
work quilt of regulations relating to the security of personal infor- 
mation. 

Encourage the broader use of security technologies without man- 
dating such solutions. California, the Data base Protection Act, 
1386, which went into effect in July 2003, encourages the 
encryption of personal information without mandating it. 

Investigate incentives, including safe harbors, tax benefits, third- 
party or self-certification, insurance, and adoption of best practices. 

Increase penalties for identity theft and cybercrimes, and ensure 
appropriate resources are available. 

Ratify the Council of Europe’s Convention on Cybercrime, which 
will create a global framework for prosecuting and investigating 
cybercriminals. We need to see this in a global fashion. 

We need, also, to have leadership on the part of Federal Govern- 
ment, the formation of — or, excuse me, an Assistant Secretary at 
DHS focus on cybersecurity will be helpful. 

And we also can’t forget R&D. 
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Let me close by noting, again, the recent CRS study on cyberse- 
curity. The study states there is currently no unified national 
framework for improving cybersecurity, and there are several areas 
of weaknesses where such a framework could be useful in gener- 
ating improvements, and several means of leverage exist that could 
be used in the development or implementation of such a frame- 
work. 

We believe the points noted above offer, if you will, guideposts 
for the government’s role in creating such a framework. 

I appreciate the opportunity to testify today. Thank you very 
much. 

[The prepared statement of Mr. Kurtz follows:] 

Prepared Statement of Paul B. Kurtz, Executive Director, 

Cyber Security Industry Alliance (CSIA) 

Thank you Chairman Stevens and Co-Chairman Inouye for inviting the Cyber Se- 
curity Industry Alliance (CSIA) to testify before this committee on Identity Theft/ 
Data Broker Services. As Executive Director of CSIA, I am pleased to speak about 
the importance of securing personal identifying information. 

The Federal Trade Commission estimates that 27 million Americans were victims 
of some kind of ID theft in the past five years. Other studies suggest 1 in 20 U.S. 
citizens have been hit by electronic fraud. The numbers are staggering. Every elec- 
tronic breach of personal information is another reason for consumers to lose trust 
in our information systems. A recent survey conducted by the Poneman Institute re- 
vealed that 57 percent of consumers with high trust in their primary bank say they 
would cease all online services with their current bank in the event of a single pri- 
vacy breach. The loss of trust or confidence in our information systems inhibits eco- 
nomic growth, our security as citizens as well as a nation. CSIA believes the right 
approach to securing consumers’ personal data requires a blend of appropriate poli- 
cies, technical expertise and security technologies. 

A central question before this Committee today is defining the government’s 
role — whether directly or indirectly — in protecting personal information residing on 
information systems owned and operated by the private sector. This Committee, 
rightfully, will also look at where the marketplace is succeeding at protecting per- 
sonal information and where it is failing. At this critical time of technology develop- 
ment and innovation, the United States, as an economic force and a global tech- 
nology leader, must carefully chart a public policy approach to information security 
that continues to encourage innovation while also providing protections. 

In my testimony today, I will cover four areas. 

• A brief introduction to CSIA; 

• Security challenges in securing electronic data; 

• Solutions and market activity; and 

• Recommendations for Congress’ consideration in securing electronic data. 

Introduction to CSIA 

CSIA is dedicated to enhancing cybersecurity through public policy initiatives, 
public sector partnerships, corporate outreach, academic programs, alignment be- 
hind emerging industry technology standards and public education. CSIA is led by 
CEOs from the world’s top security providers, who offer the technical expertise, 
depth and focus to encourage a better understanding of cyber security policy issues. 
We believe that ensuring the security, integrity and availability of global informa- 
tion systems is fundamental to economic and national security. We are committed 
to working with the public sector to research, create and implement effective agen- 
das related to national and international compliance, privacy, cybercrime, and eco- 
nomic and national security. We work closely with other associations representing 
vendors, critical infrastructure owners and operators, as well as consumers. 

CSIA’s initiatives range from examining the cybersecurity implications of Sar- 
banes-Oxley to the security and reliability of Internet telephony, also known as 
Voice over IP, to advocating more government leadership in identifying and pro- 
tecting critical information infrastructure. 

CSIA understands that the private sector bears a significant burden for improving 
cyber security. CSIA embraces the concept of sharing that responsibility between in- 
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formation technology suppliers and operators to improve cyber security. Cyber secu- 
rity also requires bi-partisan government leadership. 

Members of the CSIA include BindView Corp.; Check Point Software Technologies 
Ltd.; Citadel Security Software Inc.; Citrix Systems, Inc.; Computer Associates 
International, Inc.; Entrust, Inc.; Internet Security Systems Inc.; iPass Inc.; Juniper 
Networks, Inc.; McAfee, Inc; PGP Corporation; Qualys, Inc.; RSA Security Inc.; Se- 
cure Computing Corporation; Symantec Corporation and TechGuard Security, LLC. 

Challenges in Securing Electronic Data 

Many large organizations, from corporations to universities and health care sys- 
tems, are conducting more of their business using network technology such as the 
Internet. Therefore, customers, employees, students and patients are having their 
personally identifiable information gathered into vast electronic data storage reposi- 
tories. Some industries already have requirements to protect personally identifiable 
information, such as the banking and health communities. Laws and regulations are 
being created at various levels to address security and privacy because the criminal 
activity related to stealing these electronic data is increasing exponentially. Multiple 
laws requiring potentially different requirements will quickly make compliance an 
overly complex task. 

The problem of ensuring security and confidentiality of electronic data is complex. 
There are two fundamental areas requiring protection. The first is protecting the 
storage of personal information in data warehouses such as names, addresses and 
Social Security numbers. The second is protecting the movement of these data to and 
from the data warehouse. 

Technical security safeguards are used to address both the storage and movement 
issues. Policy is also crucial for it governs implementation of the technical safe- 
guards and access to the data. Movement of the data amplifies the challenge of se- 
curity because it creates weak points in the system. Those points are often outside 
the direct control of security administrators overseeing data warehouses. The move- 
ment of data makes it difficult to define the set of users who should take action to 
ensure the security of personal information by a select group. Therefore, policy and 
best practices play a pivotal role in shoring up weak points. 

The core information technology application of large data holders is a “data ware- 
house.” It accumulates disparate records then analyzes, stores and distributes a vast 
amalgamation of information — billions of records about hundreds of millions of 
Americans. Many elements of the technology require special provisioning for secu- 
rity, including applications, systems and networks. A secure solution requires secu- 
rity provisions at the original source of data, at the data holder, at service providers, 
and at each customer location accessing the warehouse. The holder’s control of secu- 
rity diminishes as information passes over external networks. Control vanishes once 
information is injected into the customer’s internal applications. 

The data warehouse’s database management system handles security and access 
control. Securing the warehouse is mostly a function of establishing, granting and 
updating access control permissions and rights — a configuration process based on 
policy. Security requirements extend to appropriate configuration of access controls 
and permissions for software applications feeding information into the data ware- 
house. 

Data warehouse technology operates on a networked system of servers. The serv- 
ers may physically exist on premise at the data holder or at an external hosting 
service provider. Other systems for the data warehouse include access devices such 
as PCs, laptops, handheld computing devices, and telephones. Primary security for 
all systems is mostly a function of their operating systems. Proper installation, con- 
figuration and patching of bugs in the operating system software are crucial for se- 
cure systems. 

Solutions and Market Activity 

Before considering steps the government should take to facilitate securing elec- 
tronic data, it is appropriate to discuss solutions and market activity. There is no 
“silver bullet” technical or policy solution to secure data warehouses. A variety of 
technologies and policies are required. Key technologies and policies include: 

• Policy Management : Enforces security rules and regulations. Provides guidance 
to management on who should access what, when and where. 

• Vulnerability Management: Remediate vulnerabilities through scanning devices 
that identify and patch vulnerabilities, as well mitigate misconfigurations, un- 
necessary services, unsecured accounts, and malicious code. Addressing major 
classes of network and desktop vulnerability improves IT enterprise and oper- 
ational stability. 
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• Intrusion Detection I Prevention: Technologies that monitor content of network 
traffic for infections and block traffic carrying infected files or programs. Reduc- 
ing incoming sick traffic closes another window for criminals to access these 
data. 

• Authentication: A critical first step to ensuring only appropriate users may ac- 
cess the data is using digital certificates and multiple factor authentication. 
This is a way to confirm legitimate customers and control internal end-user ac- 
cess. Strong authentication also mitigates the problem of passwords, which are 
inherently weak, from being hacked or otherwise compromised. 

• Access Controls: Ensure that authenticated users and applications can access 
only that data and information which they have been granted authority to use. 
Access controls may be based on a number of factors, including an individual’s 
role in an organization. They are particularly important to prevent insider at- 
tacks and as a deterrent to inappropriate browsing of sensitive data. 

• Audit Files: Detailed and protected records of computer and network traffic and 
transactions that can help ensure policy compliance and assist in forensic inves- 
tigations of computer crime. 

• Encryption: Transforms data into password (key)-protected packets that prevent 
reading by unauthorized users. Secure communication enables data warehouse 
vendors to safely and efficiently serve their customers. 

• Anti-Virus: Software automatically checks new files for infection. Inoculates PCs 
and applications from diseased software code attempting to cause harm. 

• Firewall: Blocks unauthorized traffic from entering PCs and servers from the 
Internet. Protects end-users from unwanted activity on their PCs. 

Some enterprises are beginning to see security as a means to differentiate them- 
selves from their competition. For example, a well known e-trading firm is working 
with a CSIA member to use two factor authentication to improve the security of cus- 
tomer accounts. Some Internet Service Providers (ISPs) are differentiating them- 
selves from others by highlighting the steps they are taking to protect personal in- 
formation. Other CSIA member firms are providing managed security services, 
encryption technologies, intrusion prevention, vulnerability management services to 
a variety of owners and operators of infrastructure. 

Policy Considerations for Securing Electronic Data 

The security of data warehouses will require a blend of appropriate policies, tech- 
nical expertise, and security technologies. Technical provisions for security are 
aimed to thwart unauthorized access to personally identifiable information — wheth- 
er by electronic hackers who break in by securing a legitimate password (e.g. 
NexisLexis), or by in-person fraud (e.g. ChoicePoint). Technical provisions are only 
as strong as the security policy which implements them. 

Security breaches of data warehouses can adversely affect the life of any Amer- 
ican so it is appropriate for Congress to establish national policies in conjunction 
with the private sector for the protection and privacy of personal information. 

While Congress is largely focused on data brokers, the protection of personal in- 
formation is also critical in other businesses where data warehouse technology is 
used and where similar risks exist. Congress should examine the issue more broadly 
as it contemplates the need for legislation. 

In this context, CSIA recommends Congress to consider the following: 

• Take a holistic approach to addressing cyber security. Currently, Congress is 
considering cyber security problems such as spyware, phishing, and data ware- 
house security on an individual basis. In fact, each of these problems has at 
least one issue in common: the attacker is seeking an individual’s personal in- 
formation in order to commit financial fraud. We can anticipate similar exploits 
in the future. 

• Harmonize any new legislation with existing legislation at the Federal level, 
filling gaps rather than duplicating requirements already contained in existing 
law, such as Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability 
and Accounting Act (HIPAA), and the Fair Credit Reporting Act (FCRA). Use 
existing security standards wherever possible, rather than creating new ones. 
This approach would provide a framework for identifying areas of risk, as well 
as encouraging industry best practices. 

• A piecemeal approach by Congress, in conjunction with the numerous laws 
states are passing will present consumers and businesses with a “patchwork” 
quilt of confusing laws and complicated compliance issues. Already states are 
stepping into the void and creating a confusing patchwork of legislation on the 
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issue. Legislation regulating spyware has been introduced in 24 State legisla- 
tures this year, with approaches ranging from studies to changes in criminal 
code. Anti-phishing legislation is sitting on the Governor’s desk in Hawaii, and 
pending in states including Texas and Florida. And there are more than 300 
bills pending on identity theft in our Nation’s State legislatures. A Federal pre- 
emption of the many laws recently passed or currently contemplated at the 
State level related to spyware, phishing, and data broker security would allevi- 
ate much of the concern and consternation within the private sector as a whole. 
However, any preemptive Federal law should maintain, at the minimum, the 
security standards already put in place by corresponding state legislation. 

• Encourage broader use of security technologies without mandating specific tech- 
nology solutions. Urge adoption of the approach utilized in CA 1386 which calls 
for disclosure of a breach involving unencrypted data. 

• To encourage stronger cyber security, Congress should investigate incentives, 
including “safe harbors”, tax benefits, third-party or self certification, insurance 
and the adoption of best practices, without mandating specific technology solu- 
tions. Dictating a specific technology is counterproductive as it stifles innovation 
and discourages creativity. 

• Congress should increase penalties for identity theft and other cyber crimes as 
well as ensure appropriate resources are available to law enforcement authori- 
ties. The Senate should swiftly ratify the Council of Europe’s Convention on 
Cybercrime which would create a global framework for investigating and pros- 
ecuting cyber criminals. 

• Congress should also take a long-term view of information security. There is no 
coherent cyber security R&D agenda. Significant Federal funding is closeted in 
classified programs. While our national security needs must be met, we must 
anticipate that privately owned and operated networks will be attacked as well. 
We need to develop resilient, fault tolerant networks which degrade gracefully 
under attack. 

Leadership in information technology is a constantly moving target. As the tech- 
nology changes and improves, so must its security. Likewise, as the need for public 
protection evolves, so must our public policy. We call on Congress and the Adminis- 
tration to work with the private sector to develop a holistic approach to protecting 
our Nation’s personal information. 

Senator Smith. Thank you very much. 

Mr. Rotenberg? 

STATEMENT OF MARC ROTENBERG, PRESIDENT/EXECUTIVE 

DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER 

(EPIC) 

Mr. Rotenberg. Senator Smith, Senator Nelson, Senator Pryor, 
thank you for the opportunity to testify today. 

My name is Marc Rotenberg. I’m an Executive Director at the 
Electronic Privacy Information Center. EPIC is a nonpartisan re- 
search organization, and we focus our work on emerging civil-lib- 
erties and privacy issues. We’d like to thank you for holding this 
hearing today on identity theft and data brokers. 

We have a particular interest in this topic. Over the last several 
months, you, many of your constituents, and the American public 
have read quite a bit about the massive data disclosures taking 
place across the United States. But it was actually last year that 
EPIC wrote to the Federal Trade Commission and urged the FTC 
to begin an investigation of ChoicePoint and other companies in the 
data-broker industry. And we expressed particular concern about 
the products that were not covered under the Fair Credit Reporting 
Act. Our view was that these products contained much of the same 
sensitive information that would otherwise be regulated under Fed- 
eral law. And, because this information wasn’t covered under Fed- 
eral law, we explained to the FTC, there was heightened risk of the 
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loss of privacy of American consumers, of data breaches. And, in 
fact, many of the problems that we wrote about last year to the 
FTC came to pass over the last several months. So, we’re very 
pleased that you’re holding this hearing today. 

I’m going to focus my testimony this afternoon on the legislative 
proposals that have been put forward, because I think it’s very im- 
portant to understand the need to pass legislation at this point in 
time. 

Now, I will say, also, that, clearly, the companies have taken im- 
portant steps, since the breaches have occurred, to try to improve 
their business practices and reduce the likelihood that future prob- 
lems will arise, and they should be applauded for this. 

Senator Smith. But those steps, in your view, are not sufficient. 

Mr. Rotenberg. No, I don’t think they are sufficient, sir. 

Senator Smith. So legislation is necessary. 

Mr. Rotenberg. I think legislation is part of the solution. 

Now, just to put this in context, this is not unlike the situation 
that the Congress faced when it first considered the Fair Credit Re- 
porting Act. People understood that information about American 
consumers would be important for credit determinations and for 
loans. But it was also the case that that information had to be ac- 
curate and used only for appropriate purposes. So, Congress was 
able to pass the FCRA, improve the accuracy and reliability of the 
information for the businesses that had an appropriate reason to 
use it, and, at the same time, safeguard the privacy of American 
consumers. 

And what I’m suggesting today is that I think a similar approach 
should be taken with the information-broker industry. 

Now, you’ve heard quite a bit so far about industry’s support for 
a notification bill. And we think this is also a good starting point. 
Certainly, the notification law in California made it possible for 
people to learn when this breach occurred, and to protect them- 
selves so that they could minimize the risk resulting from the im- 
proper use of their personal information. And I think that approach 
will likely be adopted across the United States. 

But I don’t think notification is adequate. And it is the two bills 
that are pending before this Committee, S. 500 and S. 768, that I 
think point us in the direction of how we reduce the likelihood that 
future problems will occur. 

S. 500, for example, will give the FTC the authority to establish 
basic regulations to ensure that companies in the information- 
broker industry — make sure that the information is accurate and 
reliable, and establish privacy safeguards. 

But I think the better approach, and the one that I know Senator 
Nelson has spent a great deal of time on, is S. 768. This legislation 
really gets to the key problems today in the United States, not only 
ensuring the accuracy of this information, but dealing directly with 
the problem if the misuse of the Social Security number, which is 
clearly contributing to the problem of identity theft — limiting the 
circumstances under which personal information may be sold, giv- 
ing individuals a private right-of-action, and ensuring that the 
types of safeguards are established, that international cooperation 
is made possible, and that the FTC reports to you on an annual 
basis about how their work is progressing to limit the problem of 
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identity theft. I think also the establishment of an identity theft 
center within the FTC would come as an enormous benefit to 
American consumers. 

As you may know, identity theft is now the number one crime 
in the United States. The FTC puts the figure at over $50 billion. 
It’s one out of 20 adults in this country. I think S. 768 provides the 
type of framework, the type of comprehensive solution, consistent 
with the approach that was taken with the FCRA for the credit- 
reporting industry 30 years ago, that the American public needs 
today. 

So, I thank you, again, for holding this hearing, and I hope the 
Committee will be able to take action on that bill. 

[The prepared statement of Mr. Rotenberg follows:] 

Prepared Statement of Marc Rotenberg, President/Executive Director, 
Electronic Privacy Information Center (EPIC) 

Mr. Chairman, and members of the Committee, thank you for the opportunity to 
appear before you today. My name is Marc Rotenberg and I am Executive Director 
and President of the Electronic Privacy Information Center in Washington, DC. 
EPIC is a non-partisan public interest research organization established in 1994 to 
focus public attention on emerging civil liberties issues. We are very pleased that 
you have convened this hearing today on Identity Theft and Data Broker Services. 

The main point of my testimony today is to make clear the extraordinary urgency 
of addressing the unregulated sale of personal information in the United States and 
how the data broker industry is contributing to the growing risk of identity theft 
in the United States. There is every indication that this problem is getting worse. 

Whatever your views may be on the best general approach to privacy protection, 
I urge you to take aggressive steps to regulate the information-broker industry and 
to protect the privacy and security of Americans. 

The Significance of the ChoicePoint Matter 

With all the news reporting of the last few months, it has often been difficult to 
tell exactly how a criminal ring engaged in identity theft obtained the records of 
at least 145,000 Americans. According to some reports, there was a computer 
“break-in.” Others described it as “theft.” 1 In fact, ChoicePoint simply sold the infor- 
mation. 2 This is ChoicePoint’s business and it is the business of other companies 
that are based primarily on the collection and sale of detailed information on Amer- 
ican consumers. In this most recent case, the consequences of the sale were severe. 

According to California police, at least 750 people have already suffered financial 
harm. 3 Investigators believe data on at least 400,000 individuals may have been 
compromised. 4 Significantly, this was not an isolated incident. Although ChoicePoint 
CEO Derek Smith said that the recent sale was the first of its kind, subsequent re- 
ports revealed that ChoicePoint also sold similar information on 7,000 people to 
identity thieves in 2002 with losses over $1 million. 5 And no doubt, there may have 
been many disclosures before the California notification law went into effect as well 
as more recent disclosures of which we are not yet aware. 

The consumer harm that results from the wrongful disclosure of personal informa- 
tion is very clear. According to the Federal Trade Commission, last year 10 million 
Americans were affected by identity theft. Identity theft is the number one crime 
in the country. For the fifth year in a row, identity theft topped the list of com- 
plaints, accounting for 39 percent of the 635,173 consumer fraud complaints filed 
with the agency last year. 6 And there is every indication that the level of this crime 
is increasing. 

ChoicePoint is not the only company that has improperly disclosed personal infor- 
mation on Americans. Bank of America misplaced back-up tapes containing detailed 
financial information on 1.2 million employees in the Federal Government, including 
many Members of Congress. 7 Lexis-Nexis originally reported that it made available 
records from its Seisint division on 32,000 Americans to a criminal ring that ex- 
ploited passwords of legitimate account holders. 8 That number was later revised to 
310,000.® DSW, a shoe company, announced that 103 of its 175 stores had cus- 
tomers’ credit and debit card information improperly accessed. 10 Last week, Time 
Warner revealed that it lost track of detailed data concerning 600,000 current and 
previous employees. 
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Legislation in this area is long overdue. Regrettably, ChoicePoint and other infor- 
mation brokers have spent a great deal of time and money trying to block effective 
privacy legislation in Congress. According to disclosure forms filed with the U.S. 
House and Senate, obtained by the Wall Street Journal, ChoicePoint and six of the 
country’s other largest sellers of private consumer data spent at least $2.4 million 
last year to lobby Members of Congress and a variety of Federal agencies. The Jour- 
nal reports that, “ChoicePoint was the biggest spender, with $970,000 either paid 
to outside lobbyists or spent directly by the company.” 11 

But the real cost for these activities is borne by Americans, all across the country. 
This improper disclosure and use of personal information is contributing to identity 
theft, which is today the number one crime in the United States. According to a 
2003 survey by the Federal Trade Commission, over a one-year period nearly 5 per- 
cent of the adult populations were victims of some form of identity theft. 12 

Growing Dependence on the Information Broker Industry 

Mr. Chairman, the representatives of the information-broker industry will testify 
this morning that the American economy and even our national security are becom- 
ing increasingly dependent on this industry. In many respects, this is true. These 
companies have become the true invisible hand of the information economy. Their 
ability to determine the opportunities for American workers, consumers, and voters 
is without parallel. If a ChoicePoint record says you were late on a rent payment, 
whether or not that’s true, you may lose a chance for a new apartment or a job. 
If one of these companies wrongfully removes registered voters from the voting 
roles, those people are denied their Constitutional right to vote. 

The stakes becomes even higher with homeland security. Axciom, for example, 
may play a central role in the identity verification procedures for Secure Flight, the 
new airline passenger pre-screening system. According to the Wall Street Journal, 
a Virginia company named Eagle Force has tested sample passenger information 
against commercial databases supplied by Arkansas-based Acxiom Corp. 13 Acxiom 
is the same company that stirred controversy after it shared information about 
JetBlue Airways’ passengers, without their knowledge, with a defense contractor in 
2002. 14 

Even as we become more reliant on these firms, the reports of problems in the 
industry and the skyrocketing problem of identity theft have made clear that Con- 
gress must step in. There are simply no market mechanisms that protect privacy, 
ensure accuracy, or limit security breaches where there is no direct obligation to the 
person whose personal information is at risk. 

EPIC’s Efforts To Bring Public Attention to the Problems With ChoicePoint 

Well before the recent news of the ChoicePoint debacle became public, EPIC had 
been pursuing the company and had written to the FTC to express deep concern 
about its business practices and its ability to flout the law. On December 16, 2004, 
EPIC urged the Federal Trade Commission to investigate ChoicePoint and other 
data brokers for compliance with the Fair Credit Reporting Act (FCRA), the Federal 
privacy law that helps insure that personal financial information is not used im- 
properly. 15 The EPIC letter said that ChoicePoint and its clients had performed an 
end-run around the FCRA and was selling personal information to law enforcement 
agencies, private investigators, and businesses without adequate privacy protection. 

ChoicePoint wrote back to us to say, in effect, that there was no problem. The 
company claimed to comply fully with FCRA and that the question of whether 
FCRA, or other Federal privacy laws, should apply to all of its products as simply 
a policy judgment. It made this claim at the same time it was spending several mil- 
lion dollars over the last few years to block the further expansion of the FCRA. 

Mr. Chairman, hindsight may be 20-20, but it is remarkable to us that 
ChoicePoint had the audacity to write such a letter when it already knew that State 
investigators had uncovered the fact that the company had sold information on 
American consumers to an identity theft ring. They were accusing us of inaccuracy 
at the same time that State and Federal prosecutors knew that ChoicePoint, a com- 
pany that offered services for business credentialing, had exposed more than a hun- 
dred thousand Americans to a heightened risk of identity theft because it sold data 
to crooks. 

But the problems with ChoicePoint long preceded this recent episode. Thanks to 
Freedom of Information Act requests relentlessly pursued by EPIC’s Senior Counsel 
Chris Hoofnagle, we have obtained over the last several years extraordinary docu- 
mentation of ChoicePoint’s growing ties to Federal agencies and the increasing con- 
cerns about the accuracy and legality of these products. 16 So far, EPIC has obtained 
FOIA documents from nine different agencies concerning ChoicePoint. One docu- 
ment from the Department of Justice, dated December 13, 2002, discusses a “Report 
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of Investigation and Misconduct Allegations . . . Concerning Unauthorized Disclo- 
sure of Information .” 17 There are documents from the IRS that describe how the 
agency would mirror huge amounts of personal information on IRS computers so 
that ChoicePoint could perform investigations . 18 Several documents describe 
ChoicePoint’s sole source contracts with such agencies as the United States Mar- 
shals Service and the FBI . 19 

Among the most significant documents obtained by EPIC were those from the De- 
partment of State, which revealed the growing conflicts between the United States 
and foreign governments that resulted from the efforts of ChoicePoint to buy data 
on citizens across Latin America for use by the U.S. Federal law enforcement agen- 
cies . 20 One document lists news articles that were collected by the agency to track 
outrage in Mexico and other countries over the sale of personal information by 
ChoicePoint . 21 A second document contains a cable from the American Embassy in 
Mexico to several different government agencies warning that a “potential firestorm 
may be brewing as a result of the sale of personal information by ChoicePoint . 22 A 
third set of documents describes public relations strategies for the American Em- 
bassy to counter public anger surrounding the release of personal information of 
Latin Americans to ChoicePoint . 23 

Lessons of ChoicePoint 

The ChoicePoint incident proves many important lessons for the Congress as it 
considers how best to safeguard consumer privacy in the information age. 

First, it should be clear now that privacy harms have real financial consequences. 
In considering privacy legislation in the past, Congress has often been reluctant to 
recognize the actual economic harm that consumers suffer when their personal in- 
formation is misused, when inaccurate information leads to the loss of a loan, a job, 
or insurance. Consumers suffer harms both from information that is used for fraud 
and inaccurate information that leads to lost opportunities through no fault of the 
individual. 

A clear example of how the company has contributed to the growing problem of 
identity theft may be found in ChoicePoint’s subscriber agreement for access to 
AutoTrackXP, a detailed dossier of individuals’ personal information. A sample 
AutoTrackXP report on the ChoicePoint website shows that it contains Social Secu- 
rity Numbers; driver license numbers; address history; phone numbers; property 
ownership and transfer records; vehicle, boat, and plane registrations; UCC filings; 
financial information such as bankruptcies, liens, and judgments; professional li- 
censes; business affiliations; “other people who have used the same address of the 
subject,” “possible licensed drivers at the subject’s address,” and information about 
the data subject’s relatives and neighbors . 24 This sensitive information is available 
to a wide array of companies that do not need to articulate a specific need for per- 
sonal information each time a report is purchased. ChoicePoint’s subscriber agree- 
ment shows that the company allows access to the following businesses: attorneys, 
law offices, investigations, banking, financial, retail, wholesale, insurance, human 
resources, security companies, process servers, news media, bail bonds, and if that 
isn’t enough, ChoicePoint also includes “other.” 

Second, it should be clear that market-based solutions fail utterly when there is 
no direct relationship between the consumer and the company that proposed to col- 
lect and sell information on the consumer. While we continue to believe that privacy 
legislation is also appropriate for routine business transactions, it should be obvious 
to even those that favor market-based solutions that this approach simply does not 
work where the consumer exercises no market control over the collection and use 
of their personal information. As computer security expert Bruce Schneier has 
noted, “ChoicePoint doesn’t bear the costs of identity theft, so ChoicePoint doesn’t 
take those costs into account when figuring out how much money to spend on data 
security .” 25 This argues strongly for regulation of the information-broker industry. 

Third, there are clearly problems with both the adequacy of protection under cur- 
rent Federal law and the fact that many information products escape any kind pri- 
vacy rules. ChoicePoint has done a remarkable job of creating detailed profiles on 
American consumers that they believe are not subject to Federal law. Products such 
as AutoTrackXP are as detailed as credit reports and have as much impact on op- 
portunities in the marketplace for consumers as credit reports, yet ChoicePoint has 
argued that they should not be subject to FCRA. Even their recent proposal to with- 
draw the sale of this information is not reassuring. They have left a significant loop- 
hole that will allow them to sell the data if they believe there is a consumer ben- 
efit . 26 

But even where legal coverage exists, there is insufficient enforcement, consumers 
find it difficult to exercise their rights, and the auditing is non-existent. According 
to EPIC’s research, while ChoicePoint claims to monitor their subscribers for wrong- 
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doing, there is no public evidence that the company has referred a subscriber to au- 
thorities for violating individuals’ privacy. In other words, in the case where a legiti- 
mate company obtains personal information, there is no publicly available evidence 
that ChoicePoint has any interest in whether that information is subsequently used 
for illegitimate purposes. 

Law enforcement, which has developed increasingly close ties to information bro- 
kers such as ChoicePoint, seems to fall entirely outside of any auditing procedures. 
This is particularly troubling since even those reports that recommend greater law 
enforcement use of private sector databases for public safety recognize the impor- 
tance of auditing to prevent abuse. 27 

And of course there are ongoing concerns about the broad permissible purposes 
under the FCRA, the use of credit header information to build detailed profiles, and 
the difficulty that consumers continue to face in trying to obtain free credit reports 
that they are entitled to under the FACTA. 

Fourth, we believe this episode also demonstrates the failure of the FTC to ag- 
gressively pursue privacy protection. We have repeatedly urged the FTC to look into 
these matters. On some occasions, the FTC has acted. 28 But too often the Commis- 
sion has ignored privacy problems that are impacting consumer privacy and pro- 
ducing a loss of trust and confidence in the electronic marketplace. In the late 
1990s, the FTC promoted self-regulation for the information-broker industry and al- 
lowed a weak set of principles promulgated as the Individual References Service 
Group to take the place of effective legislation. It may well be that the ChoicePoint 
fiasco could have been avoided if the Commission chose a different path when it con- 
sidered the practices of the information-broker industry. 

The FTC has also failed to pursue claims that it could under section 5 of the FTC 
Act, which prohibits unfair practices. Practices are unfair if they cause or are likely 
to cause consumers substantial injury that is neither reasonably avoidable by con- 
sumer nor offset by countervailing benefits to consumers and competition. 29 It may 
be that the unfairness doctrine could be applied in cases where there is no direct 
relationship between the consumer and the company, but to date the FTC has failed 
to do this. 30 

Fifth, we believe the ChoicePoint episode makes clear the importance of state- 
based approaches to privacy protection. Congress simply should not pass laws that 
tie the hands of State legislators and prevent the development of innovative solu- 
tions that respond to emerging privacy concerns. Many states are today seeking to 
establish strong notification procedures to ensure that their residents are entitled 
to at least the same level of protection as was provided by California. 31 

In this particular case, the California notification statute helped ensure that con- 
sumers would at least be notified that they are at risk of heightened identity theft. 
This idea makes so much sense that 38 attorneys general wrote to ChoicePoint to 
say that their residents should also be notified if their personal information was 
wrongly disclosed. 32 ChoicePoint could not object. It was an obvious solution. 

Recommendations 

Clearly, there is a need for Congress to act. Although ChoicePoint has taken some 
steps to address public concerns, it continues to take the position that it is free to 
sell personal information on American consumers to whomever it wishes where 
ChoicePoint, and not the consumer, believes there is a “consumer-driven benefit or 
transaction.” 33 Moreover, the industry remains free to change its policies at some 
point in the future, and fhe steps taken to date do not address the larger concerns 
across the information-broker industry. 

Modest proposals such as the extension of the Gramm-Leach-Bliley Act’s Security 
Safeguards Rule are unlikely to prevent future debacles. The Safeguards Rule mere- 
ly requires that financial institutions have reasonable policies and procedures to en- 
sure the security and confidentiality of customer information. Recall that the disclo- 
sure by ChoicePoint did not result from a “hack” or a “theft” but from a routine sale. 
Moreover, the Security Safeguards Rule will do nothing to give consumers greater 
control over the transfer of their personal information to third parties or to promote 
record accuracy. 

Extending notification statutes such as the California bill would be a sensible 
step, but this is only a partial answer. Notification only addresses the problem once 
the disclosure has occurred. The goal should be to minimize the likelihood of future 
disclosures. It is also important to ensure that any Federal notification bill is at 
least as good as the California state bill and leaves the states the freedom to de- 
velop stronger and more effective measures. What happens for example, when at 
some point in the future, we must contend with the extraordinary privacy problems 
that will result from the disclosure of personal information contained in a database 
built on biometric identifiers? 
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There are several proposals pending in the Senate to address the growing problem 
of identity theft. In particular, the Notification of Risk to Personal Data Act, S. 751, 
and the Comprehensive Identity Theft Prevention Act, S. 768, provide strong com- 
plimentary safeguards. The Committee should act quickly to ensure their passage. 

Notification of Risk to Personal Data Act, S. 751 

One of the lessons of the recent disclosures about the information-broker industry 
is that we could not understand the scope of the problem without information about 
actual security breaches. Imagine trying to legislate airline safety or the reliability 
of medical products without even basic information about the extent of the problem 
or the number of people affected. That is where the information security problem 
was before the passage of the California notification law. That critical State law en- 
sured, for the first time, that those whose personal information had been wrongfully 
disclosed would be notified of the breach and given the opportunity to take addi- 
tional measures. Not surprisingly, once the problem became known, other states 
urged ChoicePoint to provide notification to their residents. Thirty-eight State attor- 
neys general wrote to the head of ChoicePoint. Many State legislatures are now con- 
sidering bills that would establish similar notification obligations. 

Given this experience, Senator Feinstein’s bill, the Notification of Risk to Personal 
Data Act, is an obvious first step in the effort to help ensure that Americans can 
protect themselves when security breaches occur. The bill would require Federal 
agencies and private sector businesses that engage in interstate commerce to pro- 
vide notification when personal information is acquired by unauthorized persons. 
The bill recognizes that there may be delayed notification where this is necessary 
to aid a law enforcement investigation. The bill also provides certain exceptions for 
national security and law enforcement, though sensibly does not allow these excep- 
tions to be used to hide violations of law or to protect poor administration. There 
are a number of alternatives for notification that recognize that there may be more 
efficient and less costly ways to notify individuals in certain circumstances. 

While this is a good measure, we are concerned that the bill will preempt stronger 
State laws that may be developed to address the problem of notification where risks 
to personal data arise. We understand the interest in a single national standard, 
but this is an area where the states should retain the freedom to innovate and ex- 
plore new solutions to this far-reaching problem. We urge the Committee to remove 
Section 5 of the Act, which would preempt State law. 

We also caution against any effort to limit the circumstances under which notifi- 
cation might occur. As a matter of fairness, it should be the individual’s right to 
know when his or her personal information has been improperly obtained. And it 
should be equally obvious that given the choice businesses will choose not to provide 
notice unless they are required to do so. 

Comprehensive Identity Theft Prevention Act, S. 768 

Improved notification will play an important role in assisting consumers where se- 
curity breaches occur, but clearly the long-term goal must be to reduce the risk of 
these disclosures and to minimize harm when these breaches occur. This is not a 
new problem. Congress has worked for more than thirty years to provide privacy 
safeguards and to protect against the risks associated with the automation of per- 
sonal information. A good privacy bill works for both consumers and businesses. The 
Fair Credit Reporting Act, for example, was a benefit to both consumers and the 
credit reporting industry because it established privacy safeguards and helped en- 
sure greater accuracy in the information that was made available to credit grantors. 

The problem today is that information brokers are operating outside of any com- 
prehensive regulatory scheme. Moreover, they have no direct relationship with the 
individuals whose personal information they routinely sell to others. So, there are 
inadequate incentives to protect privacy or to ensure accuracy. There is a clear need 
to establish comprehensive protections for the information-broker industry. 

The Comprehensive Identity Theft Prevention Act, S. 768, provides an excellent 
framework for privacy protection in the information-broker industry. Building on 
the general approach of the FCRA and other privacy statutes, the bill aims to en- 
sure that when personal information is collected, it will be used for appropriate pur- 
poses, and that when problems arise there will be meaningful remedies. 

The Act requires the Federal Trade Commission to establish rules for information 
brokers and for the protection of personal information. The rules cover data accu- 
racy, confidentiality, user authentication, and detection of unauthorized use. Signifi- 
cantly, the Act also gives individuals the opportunity to review the information 
about them held by data brokers. This helps ensure accuracy and accountability and 
is similar to provisions currently found in the Fair Credit Reporting Act. 
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The Information Protection and Security Act also provides meaningful enforce- 
ment by ensuring that the states are able to pursue investigations and prosecution, 
after appropriate notice to the FTC and the attorneys general. The Act also gives 
individuals, who of course are the ones that suffer the actual harm, to pursue a pri- 
vate right-of-action. 

Additional Safeguards 

Furthermore, to the extent that information brokers, such as ChoicePoint, rou- 
tinely sell data to law enforcement and other Federal agencies, they should be sub- 
ject to the Federal Privacy Act. A “privatized intelligence service,” as Washington 
Post reporter Robert O’Harrow has aptly described the company, ChoicePoint should 
not be permitted to flout the legal rules that help ensure accuracy, accountability, 
and due process in the use of personal information by Federal agencies. 34 It would 
be appropriate to consider legislation that would establish safeguards for the use 
of commercial information by government agencies. 35 

Also, Professor Daniel Solove and EPIC’s Chris Hoofnagle have put a very good 
framework forward. 36 This approach is similar to other frameworks that attempt to 
articulate Fair Information Practices in the collection and use of personal informa- 
tion. But Solove and Hoofnagle make a further point that is particularly important 
in the context of this hearing today on ChoicePoint. Increasingly, the personal infor- 
mation made available through public records to enable oversight of government 
records has been transformed into a privatized commodity that does little to further 
government oversight, but does much to undermine the freedom of Americans. 
While EPIC continues to favor strong, open government laws, it is clearly the case 
that open government interests are not served when the government compels the 
production of personal information, sells the information to private data vendors, 
who then make detailed profiles available to strangers. This is a perversion of the 
purpose of public records. 

Looking ahead, there is a very real risk that the consequences of improper data 
use and data disclosure are likely to accelerate in the years ahead. One has only 
to look at the sharp increase in identity theft documented by the Federal Trade 
Commission, the extraordinary rate of data aggregation in new digital environ- 
ments, and the enormous efforts of the Federal Government to build ever more 
elaborate databases to realize that the risk to personal privacy is increasing rapidly. 
Congress can continue to deal with these challenges in piecemeal fashion, but it 
seems that the time has come to establish a formal government commission charged 
with the development of long-terms solutions to the threats associated with the loss 
of privacy. Sucb a commission should be established with the clear goal of making 
specific proposals. It should include a wide range of experts and advocates. And it 
should not merely be tasked with trying to develop privacy safeguards to counter 
many of the government new surveillance proposals. Instead, it should focus square- 
ly on the problem of safeguarding privacy. 

Congress needs to establish a comprehensive framework to ensure the right of pri- 
vacy in the twenty-first century. With identity theft already the number one crime, 
and the recent spate of disclosures, any further delay could come at enormous cost 
to American consumers and the American economy. 

The REAL ID Act 

Finally, Mr. Chairman, I would like to say a few words about the REAL ID Act, 
a sweeping proposal for a new Federal identification system, that may be taken up 
tonight as part of the supplemental appropriation for tbe troops in Iraq. 

As you know, this bill, which was rejected in the last Congress, has gone forward 
in this Congress without even a hearing. It would require State agencies to collect 
sensitive, personal information on every American citizen who drives a car. It would 
put the State DMVs in the position of enforcing the country’s immigration laws. It 
would give the Federal Government broad authority to regulate a traditional State 
function. Whatever one’s views may be about the merits of the legislation, it should 
concern all sides that this proposal could pass in the Senate without a bearing or 
even debate. 

I make this point today in this hearing on identity theft because the State DMV 
record systems have actually become the target of identity thieves. In recent 
months, three State DMVs have been attacked by identity thieves. In March, bur- 
glars rammed a vehicle through a back wall at a DMV near Las Vegas and drove 
off with files, including Social Security numbers, on about 9,000 people. Recently, 
Florida police arrested 52 people, including 3 DMV examiners, in a scheme that sold 
more than 2,000 fake driver’s licenses. Two weeks ago, Maryland police arrested 
three people, including a DMV worker, in a plot to sell about 150 fake licenses. 
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It is obviously the case that the establishment of new identification requirements 
in the United States, the dramatic expansion of the authority of the Department of 
Homeland Security, and the requirement that we all now deposit with State agen- 
cies the very documents that establish our proof of identity will have a profound 
impact on the issues under consideration today. 37 

Under any reasonable policy process, there would be an opportunity to examine 
these issues in more detail and to assess the risks that will surely result from the 
implementation of this legislation. Before there is a vote on this proposal, there 
should be a hearing in this Congress on this bill. 38 That power still remains with 
the Senate. I urge you to exercise it. 

Conclusion 

For many years, privacy laws came up either because of the efforts of a forward- 
looking Congress or the tragic experience of a few individuals. Now we are entering 
a new era. Privacy is no longer theoretical. It is no longer about the video records 
of a Federal judge or the driver registry information of a young actress. Today pri- 
vacy violations affect hundreds of thousands of Americans all across the country. 
The harm is real and the consequences are devastating. 

Whatever one’s view may be of the best general approach to privacy protection, 
there is no meaningful way that market-based solutions can protect the privacy of 
American consumers when consumers have no direct dealings with the companies 
that collect and sell their personal information. There is too much secrecy, too little 
accountability, and too much risk of far-reaching economic damage. 

There are two important bills now before the Committee. The Notification of Risk 
to Personal Data Act, S. 751, would provide meaningful notice to individuals when 
their personal information is wrongfully disclosed. The Comprehensive Identity 
Theft Prevention Act, S. 768, would help reduce the likelihood of future breaches. 
I hope the Committee will be able to act quickly on these proposals. 

1 appreciate the opportunity to be here today. I will be pleased to answer your 
questions. 
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Senator Smith. Mr. Rotenberg, it is a fact that — I think one of 
my colleagues — Senator Kerry was asking — if you sign up to buy 
insurance on your property, you’re not signing up to have your in- 
formation shared, necessarily. Or are there, in most of these trans- 
actions, opt-in and opt-out factors or provisions? 

Mr. Rotenberg. Well, this is a very important point, Senator. In 
most of these transactions, the individual actually has no direct re- 
lationship with the information broker. In other words 

Senator Smith. Are they even aware? 

Mr. Rotenberg. They don’t know who these companies are. They 
don’t deal directly with them. If you have a privacy problem with 
a bank, for example, you might decide not to do business with that 
bank, and you would have the opportunity in the marketplace to 
find another bank to do business with. But, you see, these compa- 
nies are very similar to the credit-reporting companies, in that they 
provide information that affects the ability of consumers to partici- 
pate in the marketplace, to get jobs, to rent apartments, to obtain 
insurance, but consumers have no direct relationship with them. 
And that’s why we think regulation in this area is so important. 

Senator Smith. But if we had — if this were at all possible, would 
you recommend, in the legislation, they have a means for opting- 
in to some of this identity — identification 

Mr. Rotenberg. Yes. 

Senator Smith. Yes. 

Mr. Rotenberg. Yes. Under circumstances where the consumer 
believes 

Senator Smith. They want 

Mr. Rotenberg. — there’s a benefit. 

Senator Smith. — they want it known. 

Mr. Rotenberg. Absolutely. In fact, that’s one of the approaches, 
we think, for credit reports, for example, consumers certainly 
would want to make their credit reports available if they’re seeking 
a loan. And I don’t think any legislation should stop them from 
doing that. We’re concerned about the circumstances where their 
credit reports are made available that they haven’t made that 
choice. 

Senator Smith. Thank you. 

Ms. Frank? 

STATEMENT OF MARI J. FRANK, ESQ., ATTORNEY, 

MARI J. FRANK, ESQ. & ASSOCIATES 

Ms. Frank. Hi. Thank you, presiding-Senator Smith and honor- 
able Committee members, invited guests. And I want to especially 
thank Senator Nelson for S. 500, which I wholeheartedly support. 
And I will be happy to help you on S. 768, because I think there 
are a lot of great things in that, as well. 

I’m an attorney. My name is Mari, by the way — people call me 
everything, but it is Mari — my name is Mari Frank, and I’m an at- 
torney and privacy 



69 


Senator Smith. We’re called a lot of things, too. 

[Laughter.] 

Ms. Frank. I know. I know. 

[Laughter.] 

Ms. Frank. I’m an attorney and privacy consultant from Orange 
County, California. I’ve assisted thousands of identity-theft victims, 
and I also sit as an advisor to the State of California Office of Pri- 
vacy Protection. 

In 1996, my identity was stolen by an imposter who paraded as 
me, robbing not only my personal life, but my professional identity. 
She took over $50,000 in credit, purchased a red convertible, rented 
a car and crashed it, and I was sued by the rental agency. I learned 
that, while working as a temporary secretary in an office 4 hours 
from my home, my evil twin downloaded my consumer report from 
an information broker. Because there is no law requiring a data 
broker to inform me of the purchase, I couldn’t do anything to pre- 
vent this heist. 

Most victims are not negligent with their personal information, 
and nothing will protect them from fraud if their information is ac- 
quired from a security breach or by faulty information practices of 
data aggregators. 

Your personal information is worth more than currency itself. A 
fraudster can do anything you can do with your identification, and, 
even worse, they can do things like you — that you would not do, 
such as commit crimes, seek revenge, or even engage in terrorist 
activities. 

Here are some examples of the main types of identity theft: 

The first one is financial gain. These are examples of people who 
have personally contacted me. 

George had a great job in the financial industry. When he was 
up for promotion, he permitted a background check, which showed 
that he had several very expensive properties, luxury cars, and 
even a boat. Also, it showed a problem with his CPA license. He 
learned that there were many credit accounts also that did not be- 
long to him. He was flabbergasted, since this was not true, none 
of these things were true. Needless to say, he lost the promotion. 

Second use, avoiding prosecution or avoiding arrest. Lori — and, 
by the way, Lori is here with me today. I have been helping her 
since last December, and Lori drove 4 hours to meet me and come 
to this hearing. She’s with me today. Lori, a disabled vet who — and 
a single mom with a set of 6-year-old twins, was attending school 
to get her B.A. degree when the police showed up at her door. She 
was arrested and convicted for a crime that was committed by her 
imposter. Neither her fingerprints nor her physical description 
matched the impersonator. She’s hoping that we’ll get a new trial 
for her, but, more worrisome than that, she’s fearful that, even 
when we get this cleaned up — which I’m sure we will — that the in- 
correct data will be resold. 

And here’s the reason why I’m thinking this will happen. Scott 
Lewis is another client of mine who wanted to drive from Ohio 
today, but I think he sent the Senators a note. Scott was laid off 
from a high-paying job. He had great recommendations and felt 
sure that he would be rehired. For 2 years, he was denied employ- 
ment. After hiring a private investigator, he saw his file from a 
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data broker. Included in it were two driving — three DUIs and an 
arrest for murder, none of which belonged to him. 

After the databases were finally cleaned up, after a tremendous 
amount of time and effort, he still couldn’t get a job. So, again, we 
pulled his consumer background check. And, what did we find? The 
data broker was continuing to sell the erroneous information to all 
the prospective employers. Scott spent hundreds of hours living the 
nightmare of identity theft, and we did get him on Dateline and fi- 
nally we were able to get him a job. 

Revenge. This is another reason someone does this. A radio talk- 
show host called me. He was shocked to learn that his own identity 
was stolen by a disgruntled listener who bought his dossier from 
an online information broker. Aside from calling him at home and 
bullying him, he obtained access to his e-mail and sent embar- 
rassing e-mails to the station, pretending to be the talk-show host. 

And, finally, the last, but scariest, is terrorism and the threat to 
homeland security. The 9/11 terrorists had opened over 14 accounts 
at a Florida bank, using the false Social Security numbers and 
other documents. They also received thousands of dollars worth of 
credit. Not only did they do this for financial gain, but over half 
of them had names that were known as suspected terrorists. So 
they committed total identity-theft takeover. And, worse, they used 
these false identities to get revenge against our country. 

Recently, at a meeting that I attended with Senator Feinstein in 
California, law enforcement reported to her that suspected terror- 
ists have been apprehended with many false documents in Cali- 
fornia so that they could hide under the radar screen and come 
over across our borders. 

Your identity is especially vulnerable with regard to the mega- 
databases held by information brokers who are selling huge 
amounts of your sensitive information in all-inclusive profiles with- 
out any governmental oversight. The very essence of the data- 
broker business is selling a broad range of very private and highly 
sensitive information, which, if acquired by a person with a crimi- 
nal intent, provides a complete comprehensive package ready for 
identity takeover. 

These databases contain your personal, professional, social, pos- 
sibly criminal — true or not — and financial existence. Tapping into 
your data profile is a fraudster’s dream come true. 

In my written testimony, I attached Exhibit I, which has the 
ChoicePoint AutoTrack, which will show you the kinds of informa- 
tion — it’s a sample — it’s not a real person, by the way; it’s just a 
sample. It will shock you, as it did me. 

When I recently attended the State Bar of California annual 
meeting, a data broker in the exhibit hall pulled my background 
after I gave him just my name. I was horrified — not only because 
I felt violated by all that it revealed, but, worse, by the tremendous 
number of errors. I was told that there was no way to correct the 
egregious mistakes. I was stunned by the prospect that aspects of 
that report may have resulted from my imposter’s actions. 

Also, I was reminded of the Amy Boyer case, where Liam Youens 
used information broker Docusearch to obtain Amy’s Social Secu- 
rity number and work address to kill her and then himself. Police 
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later found a message on his computer that said, “It’s actually ob- 
scene what you can find out about people on the Internet.” 

Data brokers are invisible to most citizens. Everyone in this 
room who has a birth certificate, a driver’s license — or if there’s 
any public record about you at all, you are in those secret files. And 
there’s much more about you from the data aggregation. Every 
Senator and everyone watching this hearing is in those profiles. 
Have you seen your dossier? Do you know what fact or fiction is 
being sold about you? 

As the law stands now, you don’t have the right to know what 
is in these files, nor do you have the right to correct the many er- 
rors, nor do you have the right to know who has had access to 
these sensitive files, nor can you limit the sale. Actually, none of 
us here, except maybe the data brokers, have control over anything 
in those files. These companies have operated in the shadows and 
have sold this often erroneous information to myriad companies, 
the government, and even to fraudsters. 

Most Americans don’t even know who these companies are or 
what they do. This is America, the home of freedom and liberty. 
This is not a communist country or a Nazi regime where secret 
files are kept on citizens and shared with various entities and gov- 
ernmental agencies. 

Don’t law-abiding citizens have a right to at least see the dos- 
siers and make sure that the information is correct? 

Although the credit-reporting agencies are considered data bro- 
kers, they’re regulated by the FCRA, the Fair Credit Reporting Act. 
And that law gives us the right to see our data, review it, dispute 
it, correct it, find out who has had access to it, and we can even 
limit the sale. 

What is the impact of security breaches of the data brokers that 
are here today? Those impacted may not yet be victims of identity 
theft, yet they are victims of a Federal crime. The Identity Theft 
and Assumption Deterrence Act of 1998, which I testified for back 
then, 18 U.S.C. 1028, makes it a Federal crime when anyone know- 
ingly transfers or uses without lawful authority a means of identi- 
fication of another person with the intent to commit or aid or abet 
any unlawful activity that constitutes a Federal — a violation of 
Federal law or that constitutes a felony under applicable State or 
local law. 

I have personally spoken with victims of many of these security 
breaches. The victims feel very violated, frightened, and helpless. 
It is well known that criminals steal the information, but may not 
use it for months, or even years, afterwards. Additionally, the vic- 
tims have not been notified of exactly what was stolen. They 
haven’t seen these dossiers. So they feel entirely defenseless and 
don’t even know what to protect. 

All right. So, what needs to be done? I’m going to go quickly. I 
really appreciate everything in S. 500, and I have a lot more, 25 
pages, in my written testimony, but I’m going to just do a quick 
sweep here. 

Senator Smith. We’ll include it all in the record. 

Ms. Frank. Right, OK. So, you can all see it. And I would really 
like you to look at my attachments, as well. I think they’re very 
important. 
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Number one, what do we need? We need transparency. That 
means we need to see what they have available, in front of us, for 
inspection. We need to define the uses of this information. 

Number two, we need consent and notice. Consumers should be 
able to give their consent to disclosure of their information prior to 
disclosure. 

The consumer should be able to know when it’s sold. 

And the consumer should receive a free copy once a year, like we 
do under FCRA. 

The consumer should also have access and inspection and the 
ability to correct. There should also be quality controls and timely 
correction, so that if I contact an agency and I see — for example, 
what happened to me, I would like to correct what’s in that file, 
yet I — at this point, I can’t. And I want to know that I can correct 
it. And if it’s a public record, I need to know where to go to correct 
it. 

There must be strict security controls against risk of loss. We 
know this from what recently happened. 

We need enforcement. Unfortunately, what I have seen, in the 
past 9 years since I have been a victim, is that the Federal Trade 
Commission is overwhelmed. I also now am also a sheriff reserve 
in Orange County, and I know that — and California is one of the 
top states for identity theft — about one in ten cases are inves- 
tigated; and, of those one in ten cases, about one in ten are pros- 
ecuted. So, enforcement is really important. And the Federal Trade 
Commission doesn’t take many cases on this. So 

Senator Smith. What do they find? Do they lead to a few people, 
or to many? 

Ms. Frank. Depends. It depends on the circumstance. They usu- 
ally won’t take the case unless it’s of very high jurisdictional value 
or if they think it’s a fraud ring, because they just have to 
prioritize. They just have limited resources. 

Enforcement should be by private right-of-action. It should also 
be by attorneys general and the Federal Trade Commission. 

And it’s very important that we preserve State rights. I’m from 
a State that has been very proactive. We have the best privacy leg- 
islation, we are the only State with an Office of Privacy Protection. 
And it’s our laws — in fact, we were the second State to have an 
identity-theft statute. We have the best identity-theft statutes, as 
far as penal codes, in the country. We have the security-breach law. 
We also allow security freezes to lock up your credit report, so, if 
you’re a victim or even a consumer, you — no one can steal your 
credit identity. So 

Senator Smith. Are those laws working? 

Ms. Frank. Yes. And — well, we know that the security-breach 
law is working, because in July of 2003, our law became effective. 
Prior to July 2003, we know that LexisNexis and ChoicePoint both 
had security breaches that they admitted in a hearing before the 
U.S. Senate. And they did not reveal it to anyone — I mean, to law 
enforcement, yes — but they did not reveal to potential victims. 
After 2003, we have seen a tremendous amount of disclosure be- 
cause of our security-breach law. If it had not been for California, 
you would not even be here today to know about all this. 



73 


So, that and the security-freeze laws, if we did not lock up the 
credit reports — right now, there are four states that allow you to 
close up your credit report for your credit freeze, and they are Cali- 
fornia, Texas, Vermont, and Louisiana. And I know there are 19 
states that have introduced such legislation. 

So, if you tie the hands of State legislators, you’re going to find 
that there is going to be a huge amount of problems for victims 
who cannot get some regulation to help them. And a lot of your 
bills, even the bills that were introduced by Senator Feinstein with 
regard to Social Security are based on California law. 

I understand about Federal preemption, that companies don’t 
want to have to speak to all of the various states and deal with 
that — it’s expensive — but I think we need to have a floor, not a ceil- 
ing. 

And I’ll be happy to help this committee in any way I can. Thank 
you. 

[The prepared statement of Ms. Frank follows:] 

Prepared Statement of Mari J. Frank, Esq., Attorney, 

Mari J. Frank, Esq. & Associates 

Good morning, Chairman Stevens, Co-Chairman Inouye, Presiding Senator Smith, 
Honorable Committee Members, and invited guests. Thank you very much for the 
opportunity to address you today regarding concerns about identity theft and data 
broker services. I am grateful that Congress is studying this issue to craft strong 
measures to prevent identity theft in our society. Your desire to shine the light on 
these problems and make needed changes deserves commendation. I also thank this 
panel of witnesses who will educate us about these issues from all perspectives and 
help to create solutions so that we may better protect our personal and confidential 
information and reduce this insidious crime. Additionally I thank Senator Bill Nel- 
son for introducing S. 500, The Information Protection and Security Act, which I 
support because it addresses the need for responsible and reasonable oversight over 
the data broker services industry while providing fair information principles. I will 
be happy to assist this Committee with other legislative proposals such as S. 768 
and others. Since this issue affects each one of us, I encourage a bi-partisan collabo- 
rative approach to protect ourselves from identity theft. 

My name is Mari Frank. I am an attorney, privacy consultant, and author of sev- 
eral books on identity theft from Laguna Niguel, California. (My two newest books 
are Safeguard Your Identity: Protect Yourself with a Personal Privacy Audit (Por- 
poise Press, 2005 and From Victim To Victor: A Step By Step Guide For Ending the 
Nightmare of Identity Theft 2nd Edition with CD, Porpoise Press, 2005) 
www.identitytheft.org.) I serve as a volunteer Sheriff Reserve for the Orange County, 
California Sheriff Department, and sit on the Advisory Board of the State of Cali- 
fornia Office of Privacy Protection which focuses on privacy and identity theft safe- 
guards for California citizens. Additionally, I am a member of the State of Califor- 
nia’s Department of Motor Vehicle’s Task Force on Privacy and Identity Theft, I’ve 
served on the Los Angeles District Attorney’s Office Task Force on Identity Theft, 
and I am an advisory board member to the nonprofit Identity Theft Resource Cen- 
ter. I have personally assisted myriad victims across the country with my personal 
time and educational materials, and have donated hundreds of pro-bono hours to as- 
sist victims. I have had the privilege of testifying before several legislative bodies 
and four U.S. Congressional Committees, and have consulted with national corpora- 
tions on how to protect their clients, customers, vendors, employees, and their busi- 
nesses from the challenges of identity theft and other privacy concerns. I am a cer- 
tified trainer for Continuing Legal Education of the State Bar of California, a former 
law professor, and I presently teach Conflict Management at the University of Cali- 
fornia, Irvine. 

My own identity was stolen (in 1996) by an impostor who paraded as me — steal- 
ing my personal as well as my professional lawyer identity. While wrecking my 
credit, she also destroyed my sense of security and peace of mind. My impersonator 
obtained over $50,000 using my name, purchased a red convertible Mustang, and 
even caused me to be threatened with a lawsuit by a rental car company for the 
auto that she damaged in an accident. It took me almost a year and over 500 hours 
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to clear my records and regain my credit and my life. I accumulated five banker 
boxes of correspondence, and lived in fear of how else this invisible person might 
harm me and my children. I finally learned that while working as a temporary sec- 
retary in a law office four hours from my own office, my evil twin (who I never met) 
was able to access my credit history (as well as the profile of other lawyers) from 
an information broker who had a contract with that office. My impostor did not need 
to prove who she was or establish that she had a permissible purpose to download 
the profile, so it was instantly faxed to her. From that report, she obtained my So- 
cial Security number and other personal and financial facts to become my identity- 
clone. When that data broker, situated across the country, electronically transferred 
my consumer profile to a criminal in a city 4 hours from my home, it was beyond 
my control to do anything to prevent the fraud. 

From that arduous nightmare, I gained great insight into the tribulations that 
victims endure — I became an expert by necessity. After speaking with several thou- 
sand victims, I have learned that most victims are not negligent with their personal 
information, and that no amount of “consumer education” or vigilance will protect 
them from identity theft if their information is acquired in a security breach by an 
unscrupulous employee, or by faulty information handling practices of entities that 
maintain their data. Consumer-privacy education is important to minimize your risk 
and keep you informed as to barriers to erect, but it won’t guarantee that your iden- 
tity won’t be stolen by a data breach. 

Your esteemed Committee has invited me to focus on the concerns and problems 
experienced by victims of identity theft and security breaches. I will concentrate my 
testimony on answering the following questions: 

I. What Are the Motivating Factors for Stealing Your Sensitive Information? 

II. How Does Identity Theft Occur, and What Are the Unique Issues as to Data 
Brokers? 

III. What Are Real Life Examples of Identity Theft as They Relate to Informa- 
tion Brokers? 

IV. What Is the Impact of Security Breaches on Citizens Whose Information Is 
Stolen? 

V. What Needs to Be Done with Regard to Minimizing the Risks of Identity 
Theft With Regard to Information Brokers? 

VI. What Else Is Needed To Prevent and Resolve Identity Theft? 

I. What Are the Motivating Factors for Stealing Your Sensitive 
Information? 

In our data-driven society your personal information is readily transferred across 
the world in a nano-second through networks and on the Internet (whether or not 
you are a computer user). Your personal information, worth more than currency 
itself, can be used to apply for credit cards, credit lines, mortgages, cell phones, in- 
surance, utilities, products and services, etc., all without your knowledge. A 
fraudster can do anything you can do with your identifying information — and 
worse — even do things you wouldn’t do such as commit crimes, seek revenge, or en- 
gage in terrorist activities. 

A. What Is Identity Theft and How Is It Used ? 

Identity theft occurs when your personal (or business) identifying information 
such as your name, Social Security number, address, birth date, unique passwords, 
business name or logo, or even biometric information, is used or transferred with 
the intent to use it for an unlawful purpose. Below are the main motivations of 
fraudsters: 

1. Financial Gain 

This includes credit, loans, new accounts, mortgages, employment, health care, in- 
surance, welfare, citizenship, and other governmental and corporate benefits — any- 
thing that has a dollar value. The fraud may take place in multiple jurisdictions, 
and purchases and transfers can be made by phone, fax, online or in person. Usu- 
ally, the perpetrator can buy or “legally” obtain a driver’s license, create checks on 
a computer with the victim’s name, obtain, buy, or create other identity documents 
including medical cards, credit cards, passports, etc. 

2. Avoiding Arrest or Prosecution 

A criminal commits crimes in the real world or virtual electronic world, or ter- 
rorist acts using the name and identifying information of another person. Often the 
perpetrator also commits financial fraud as well to supplement her income. In a re- 
cent meeting I attended with Senator Feinstein and law enforcement, detectives and 
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district attorneys in California (and also in Washington) reported that that 80-90 
percent of identity thieves who are caught also have a pending or prior meth- 
amphetamine charge against them as well. In my own case, my impersonator was 
a “meth” addict who stole the identity of several lawyers to obtain credit and funds 
to feed her drug habit. 

3. Revenge 

One can remain “invisible” by stealing an identity to hurt another person. This 
type of fraud may occur between ex-spouses, former business partners, ex-employ- 
ees, disgruntled staff or angry customers. We also see this type of fraud committed 
in businesses where one business owner will want to ruin the reputation of another. 
It can occur offline or online. I’ve been contacted by employees, and business owners 
who learned that their e-mail address was used to discredit them. 

4. Terrorism (Breaching Homeland Security) 

The September 11, 2001 terrorists had opened 14 accounts at a Florida bank, 
using false Social Security numbers and other documents. They obtained credit 
cards, apartment units, leased cars, and fraudulently charged airline tickets. They 
not only did this for financial gain, but also over half of them likely suspected that 
their true names were in FBI files as suspected terrorists, so they committed total 
identity take-over to avoid arrest. And worse, they used false identities to get re- 
venge against our country. In Senator Feinstein’s meeting with law enforcement in 
California on March 29, 2005, law enforcement reported that suspected terrorist 
cells have been apprehended with false documents in California. It is well known 
that foreign nationals have covertly crossed our borders and have easily obtained 
stolen identity documents to hide under the “radar screen.” 

II. How Does Identity Theft Occur, and What Are the Unique Issues as to 

Data Brokers? 

A. Ways That Your Personal Information Is Stolen 

The scope and extent of the problem of identity theft is rampant. In 2003 the FTC 
conducted a survey found almost 10 million new victims that year, and 27.3 million 
victims in the previous five years, with a cost to consumers of $5 billion and a loss 
to financial institutions of $48 billion, (www.consumer.gov / idtheft) According to the 
Identity Theft Resource Center, victims paid an average of $1,400 in out-of-pocket 
costs (not including attorney fees) and spent an average of 600 hours to regain their 
credit and identity, (www .idtheftcenter.org) The monetary costs are miniscule com- 
pared to the devastation, stress and violation one feels when they are denied a job, 
unable to get an car or apartment, lose the opportunity for a home, lose insurance 
health benefits, or find out there is a warrant for their arrest — or worse yet, when 
they are convicted of a crime committed by their impostor. Victims have a great bur- 
den to “prove” their innocence, beg for an identity theft report, and spend hundreds 
of hours calling and writing various agencies and companies to get their life back. 

The epidemic of identity theft is growing because sensitive, personal information 
is acquired very easily, and the issuers of credit are often less than careful in 
verifying and authenticating the true identity of the applicant. There are many 
ways that fraudsters obtain data about us — it may be appropriated by, stolen mail, 
dumpster-diving, lost or stolen wallets, shoulder surfing, burglary, friends, relatives 
(only about 9 percent), unscrupulous employees, phone fraud, Internet fraud 
(phishing and pbarming), spyware, hackers, unprotected wireless networks, uneth- 
ical use of public documents that contain personal information, needless display of 
the Social Security numbers on government documents (such as; military and Medi- 
care identification cards); the transfer sale and sharing of Social Security numbers 
and other data among financial institutions, credit reporting agencies and data bro- 
kers. 

B. Data Brokers Files Provide Massive, Broad-Based Information When Accessed by 

Fraudsters 

Although an identity thief has a choice of simple easy ways to steal your good 
name, as listed above, your identity is especially vulnerable with regard to the 
mega-databases held by information brokers who are collecting, storing, sharing, 
buying, transferring and selling huge amounts of personal and sensitive information 
in all inclusive profiles without any governmental oversight. (For example, it is re- 
ported that ChoicePoint has 19 billion files on citizens.) Although the credit bureaus 
also hold vast financial and personal data — and if accessed also reek havoc for vic- 
tims, (like what happened to me) at least these credit reporting agencies are regu- 
lated by the Fair Credit Reporting Act, and there was a way for me to correct my 
file. 
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The very essence of the data broker business is selling a broad range of very pri- 
vate and highly sensitive information which if acquired by a person with criminal 
intent, provides a complete comprehensive package ready made for total identity- 
takeover. These databases contain your personal, professional, social, (possibly crimi- 
nal) and financial existence. Tapping into your data profile is a fraudster’s dream 
come true. The huge, lengthy dossiers provide far more than just a Social Security 
number or the limited information that could be accessed from stealing a bank ac- 
count, your mail, or even your un-shredded trash. Many of these companies have 
various products for sale which will tell the recipient of the report far more about 
you than your family or friends know. Most of us have seen our credit reports and 
know how all embracing they are with regard to our financial profile, but few of 
us have seen our complete dossier stored and sold by the data aggregators. To give 
you an example of one type of product, I have attached as Exhibit I, a sample 
AutoTrack report sold by ChoicePoint for you to see how much information may be 
revealed about you, which also includes the persons in your home, and surrounding 
neighborhood. It should startle you. 

C. Viewing Your Vast Profile 

When I attended the State Bar Annual Meeting last fall, I visited the exhibit hall 
and was summoned by one of the data brokers to view my profile to see if I wished 
to purchase this data information service in my law office. All I provided was my 
name, and instantly 30 pages of private information (including my Social Security 
number) appeared on the computer screen. I was shocked and horrified, not only 
because I felt very violated by all it revealed, but worse yet, by the numerous errors! 
I asked the salesperson how I could correct the information and was told that I 
could not correct any information in the file; that this information was not subject 
to the Fair Credit Reporting Act. Please review this attached sample profile and 
consider how each category heading is labeled, i.e.: “Possible Social Security Num- 
bers Associated With This Subject; Possible Deeds Transferred; Possible Felony I Pro- 
bation I Parole.” As a recovered identity theft victim, I was stunned by the prospect 
that some of those items in my report could have been reported as a result of my 
impostor’s actions, and I was fearful of what could happen to me and my family if 
this information were to be acquired by someone who wished to do harm. I was re- 
minded of the Amy Boyer case a few years ago in which a young man, Liam Youens 
used an on-line information broker — Docusearch to obtain Amy’s Social Security 
number, phone number, and work address in order to find her. He then appeared 
at her office and killed her and then committed suicide. Later in his computer, po- 
lice found a message he had written about data broker services — “It’s actually ob- 
scene what you can find out about people on the Internet.” 

D. Data Brokers Are Operating Under the Radar Screen and Are Invisible to Most 

Citizens 

Even with all the publicity about data brokers and recent security breaches, when 
I have spoken to large audiences in the last month about identity theft, most people 
still didn’t know these companies by name or what they do, or how they gather data 
or what’s in their databases. There is no transparency. In fact, most people tell me 
that if they had received a security breach letter from ChoicePoint or LexisNexis, 
they probably would have thrown it out as “junk mail” since they hadn’t heard of 
the company and do not have a business relationship. Many potential victims who 
received security breach letters have not taken advantage of LexisNexis’ offer for 
a year of credit monitoring (for example) because they didn’t even open the enve- 
lope, or if they did, they didn’t know what to worry about since they didn’t know 
what was revealed from their files to cause alarm. None of the breach letters that 
I have seen contained a copy of the profile, or a detailed list of the data that was 
stolen. 

E. Everyone in This Room and Reading This Testimony Has a Profile in the Data 

Broker Files 

Do You Know What Information About You Is Being Sold? 

Everyone in this room who has a birth certificate, a driver’s license, if you’ve been 
married, divorced, have auto or homeowner’s insurance, if you have ever worked, 
if you have a residence, if you have any government approved license, if you’ve been 
issued a speeding ticket — YOU ARE IN THOSE SECRET FILES. Every Senator in 
this room — and every one watching this hearing has a profile in those files. Have 
you seen your dossier? Do you know what fact or fiction is being sold about you? 
As the law stands now — you don’t have the right to know what is in those files, nor 
do you have the right to correct the many errors, nor do you have the right to know 
who has had access to those sensitive files, nor can you limit their sale — actually 



77 


none of us here (except perhaps the data broker persons) have control over anything 
in those files. These companies have operated in the shadows and have sold this 
often erroneous information to myriad companies, journalists and governmental 
agencies. Yet most Americans don’t even know who these companies are or what 
they do. This is America — the home of freedom and liberty, this is not a communist 
country or Nazi regime where secret files are kept on citizens — and shared with var- 
ious entities and governmental agencies. The FBI and other law enforcement agen- 
cies are purchasing this information from data brokers, so are employers, insurers, 
landlords, attorneys, private investigators, and others — shouldn’t law abiding citi- 
zens have a right to at least see the dossiers and make sure that the information 
is correct? 

Although the credit reporting agencies are also considered data brokers, they are 
regulated by the Fair Credit Reporting Act and that law gives us the right to see 
our data, review it, dispute it, correct it, find out who has accessed it, limit its sale 
and review, and give us the right to enforce our rights. Unfortunately, the informa- 
tion service industry only acknowledges that a small portion of its products apply 
to the FCRA (i.e., reports made for insurance, employment history, landlord tenant 
history, medical insurance). Why shouldn’t the data brokers be subject to the same 
fair information principles? 

III. What Are Some Real Life Examples of Identity Theft as They Relate to 
Information Brokers? 

A. Examples of Financial Identity Theft 

1. John is a recent widower. After his wife died of cancer at age 35, (leaving him 
with three young children), he began receiving collection calls from credit card com- 
panies, a computer manufacturer, and a cell phone company for the items and serv- 
ices allegedly purchased by his deceased wife after her funeral. He suspects that the 
imposter got the information from the death certificate which has the Social Security 
number and birth date on the document. This could have been obtained in the fu- 
neral home, from public records offline or online, through the Social Security Admin- 
istration, or from any information broker. 

Many public records including birth certificates, death certificates, marriages, 
pilot and captain licenses, etc. contain the Social Security number — which is the key 
to the kingdom of identity theft. The data brokers sell public records to almost any- 
one. John became a victim prior to July 2003 when the California Security Breach 
disclosure law became effective. If he were a victim of a security breach after July 
2003, he hopefully would have been notified, and would have had a chance to put 
up barriers to protect his deceased wife’s good name and his finances. 

2. Sidney, a wealthy retired executive learned that his identity was stolen many 
months after he and his wife purchased a new home. His loan application, with his 
3-in-l credit report attached, revealed his credit score, his checking, savings, and in- 
vestment accounts, Social Security number, and all necessary information for an im- 
postor to become Sidney. He believes his masquerader had gotten a copy of Sidney’s 
credit report which was on the broker’s laptop. The impostor opened new credit card 
accounts, purchased computers, electronic equipment, furniture, rented an apartment, 
obtained utilities, etc., stealing almost $100,000, and the couple are overwhelmed. 

Allowing employees to download credit reports, and maintain loan applications in 
unencrypted files on laptops, which may be easily stolen outside a secured office, 
makes customers very vulnerable to identity theft. It is imperative that all compa- 
nies that collect data and transfer it for use, verify the recipient (that he or she has 
a lawful, permissible purpose), set up contracts and enforcement for the security of 
the information. It’s critical for victims to get notice immediately of any security 
breach, so that they may take steps to intervene and stop further fraud activities. 

3. Susan, a physician, received a letter from a company that she did business with, 
that her Social Security number and other information about her had been acquired 
by unauthorized persons. She was terrified as to what could happen to her finances, 
and her practice. She put fraud alerts on her credit profile, changed all her pass- 
words, even closed accounts and opened new ones. She felt very violated, angry, 
frightened and upset. Almost Hk years later, she started receiving calls from credi- 
tors from accounts she never owned — including cell phones, credit cards, and loans. 
She believed the fraud alert would remain on her credit profile — it did not. Even 
when the fraud alert was on her file, companies seemed to ignore the alert and issue 
credit. Since she lives in California, she was able to place a security freeze on her 
profile so no one could see her credit report to issue credit without her providing a 
password to release her file. Now she has sleepless nights about her impostor parad- 
ing as a doctor and committing other crimes. She wants to see a full background 
check from the information brokers. 
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This case shows us why it is so important to receive notice of a security breach. 
Susan took proactive steps to prevent fraud, and several companies called her and 
did not issue credit. Some negligent companies ignored the alert. Because she lives 
in one of the four states (presently California, Texas, Vermont, and Louisiana) that 
allow victims to “freeze” their reports, she was finally able to stop the financial 
fraud. But the fear of criminal identity theft is now haunting her. She should be 
able to put a fraud alert on her consumer profile and obtain a complete background 
check at no cost if she is a victim — just as victims can obtain two free credit reports 
in the 12 months in which they learned of the fraud. She should also be able to 
limit the sale of her consumer report and be notified with the name, telephone num- 
ber and address of a business or governmental entity (other than Homeland Secu- 
rity) to see who is accessing her profile. 

B. Examples of Criminal Identity Theft 

1. George, a disabled veteran living in Colorado was suddenly denied his disability 
payments, and hit with a large IRS bill for the income that his impostor had earned 
while working under his name in Tennessee. Upon reporting this fraud to the police, 
we learned that George’s impostor had also established a criminal record in yet an- 
other state and there was a warrant for George’s arrest. 

George’s information about his impostor’s criminal activity and work related fraud 
would not show up on a credit report (until the IRS reports it), but it would show 
up on a background check provided by the data brokers who are testifying today. 
George found out the hard way, when he lost benefits and was arrested. If he had 
access to his consumer file, he would have found out about the fraud and wouldn’t 
have lost his disability benefits. 

George’s case demonstrates why we must be able to review, dispute and correct 
our consumer files. We should be able to get our complete dossiers at least once a 
year at no cost as is our right to get a credit report from each of the three credit 
reporting agencies under the Fair and Accurate Credit Transactions Act. 

2. Lori, a disabled vet from Virginia, and single mom with a set of six-year-old 
twins was attending school to get her Master’s degree in Social Work, when the police 
showed up at her door. She was arrested for a crime that she didn’t commit. The 
woman who committed the fraud used the name Laura along with Lori’s last name. 
Her fingerprints did not match the prints of the perpetrator, and the description of 
the fraudster was different from Lori, yet she was convicted. With my help and the 
help of new counsel, she was sentenced to probation — but the felony record must be 
corrected with a new trial. Her greatest fear isn’t the new trial — it is the information 
broker databases that may continue to report her as a felon even after the criminal 
records are cleared. She has reason to fear as you will read in the next case. 

3. Scott was laid off from a high-paying job in the medical industry in Ohio. He 
had great recommendations and felt sure he would be rehired. For two years he was 
denied employment after several positive interviews and his permission to do a back- 
ground check. Finally Scott hired a private investigator who showed him his crimi- 
nal profile from a data broker. It included two DUIs and an arrest for murder. None 
of which belonged to him. I spent many months helping him to correct the sheriff 
and FBI databases. But months after we cleared all the law enforcement databases, 
he applied for employment and was offered the job, but after reviewing his back- 
ground, he was told that they couldn’t lure him. He was in shock when the private 
investigator pulled his report again and found that a major information broker was 
still selling this false information to prospective employers without updating their 
files. Finally after a lawsuit was filed by an Ohio attorney, the information was cor- 
rected. But the years of anguish and lack of employment continues to damage his 
career and his personal life. 

Scott had no idea why he had trouble getting a job. Although a potential employer 
is supposed to tell you if you are denied employment due to a consumer report, and 
let you know how to review the report, it’s understandable that an employer may 
be reticent to tell a “murderer” that he is denied employment due to his criminal 
history. Instead he was told that there were others who were more suitable for the 
position. If Scott had the right to see his file earlier and had the right to correct 
it, he would have been able to secure employment and perhaps not have gotten di- 
vorced, lost custody of his son, nor become homeless for those years. 

C. Examples of Identity Theft for Revenge 

1. Linda was married to a prominent Chicago lawyer for 25 years. When he de- 
cided to divorce her to marry his secretary, he had a friend download Linda’s con- 
sumer information and give it to a fraudster who applied for numerous credit cards, 
ordered furniture, and other luxury items. The fraudster also used Linda’s name to 
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set up e-mail accounts to send the estranged husband threatening messages. This 
was done to discredit Linda in court. 

Obviously, there was no lawful purpose for downloading this report from the data 
broker. There was no verification of permissive use by the data broker. It clearly 
was revenge and self-interest. 

2. The first cyber stalking case prosecuted in Orange County, California turned out 
to be identity theft. A computer expert was angry when a woman he liked shunned 
his advances. He proceeded to go online to a chat room and pretend to be her — stat- 
ing that she had fantasies of being raped. From a data broker, he was able to find 
her home phone number and address and shared it in the chatroom. The woman 
didn’t even own a computer. When several men appeared at her door to share her 
fantasies, she was terrified and called the police. She had an emotional breakdown 
and the violation has left scars. 

3. A radio talk show host was shocked to learn that his own identity was stolen 
by a disgruntled listener who bought his dossier from an on-line information broker. 
Aside from calling him at home and bullying him, he obtained access to his e-mail 
account and sent embarrassing e-mails to the station, pretending to be the talk show 
host. 

The above cases demonstrate how identity theft is facilitated by the data broker 
industry. Unless a victim gets notice of a security breach or unless law enforcement 
or a private investigator can solve the mystery, most victims don’t have a clue how 
the criminal has gotten his sensitive records. The assaults against these victims 
caused great anguish, overwhelmed them and negatively impacted every aspect of 
their lives. The time spent trying to regain their lives, the damage to their reputa- 
tion, and the out-of-pocket costs were miniscule compared with the tremendous emo- 
tional turmoil these people endured. 

IV. What Is the Impact of Security Breaches on Citizens Whose Information 
Is Stolen? 

Persons whose information has been stolen by criminals are victims of a crime. 
They may not yet be victims of identity theft — yet they are victims of a Federal 
crime. Not only has their private, sensitive information gotten into the hands of un- 
authorized persons — but those unauthorized persons have done so with the intent 
to commit an unlawful act. Under 18 U.S.C. 1028, as stated below the persons com- 
mitting the act are felons and those who are adversely affected are victims of a Fed- 
eral felony: 

The Identity Theft and Assumption Deterrence Act of 1998 (Identity Theft Act) 
18 U.S.C. § 1028) makes it a Federal crime when anyone: 

knowingly transfers or uses, without lawful authority, a means of identification 
of another person with the intent to commit, or to aid or abet, any unlawful ac- 
tivity that constitutes a violation of Federal law, or that constitutes a felony 
under any applicable State or local law. 

I have personally spoken with victims of security breaches who have received no- 
tice letters from entities such LexisNexis, ChoicePoint, Ameritrade, Bank of Amer- 
ica, Wells Fargo and several universities, hospitals, and even smaller businesses. 
The victims of the breach feel very violated, angry, frightened and overwhelmed and 
helpless. It is well known that criminals steal the information and may often wait 
months or years to use it — or they sell it in exchange for methamphetamine or 
money. It may be transferred several times and used for financial gain or to commit 
other crimes. Because the victims of the breach don’t know who the criminals are 
or their intent, they are anxious. Additionally, the victims are not notified as to ex- 
actly what information may have been taken, so they feel defenseless and don’t even 
know what to protect. Although I tell these victims actions to take to put up bar- 
riers placing fraud alerts, instituting security freezes, changing passwords, changing 
mother’s maiden name, monitoring credit reports, etc.), victims still feel incapable 
of insuring that their identity won’t be stolen. Many are fearful that their family 
home or office may be intruded by the perpetrators who may have their addresses, 
phone numbers, bank account information and perhaps an entire dossier. 

Below are a couple of e-mails I received from victims of a security breach explain- 
ing their strong feelings of victimization. 

“My husband and I are very upset and it is overwhelming. We are very anxious 
and it takes a tremendous amount of time and effort just to get a security freeze. 
The credit agencies shouldn’t make it so difficult. I’m spending so much time 
monitoring accounts and credit reports — it’s exhausting — I feel very vulnerable 
and frightened that some criminal knows all about me and may wait to use our 
stuff any time, now or in the future — what can I do?” 
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“I spend, sleepless nights wondering when the phone may ring, or I will open a 
letter from a bill collector. I’m worrying if someone has obtained new identifica- 
tion under my wife’s or my name. It is scary to think that I may be pulled over 
by the police for something I didn’t do. What if they drag me or Lord forbid MY 
WIFE, from the vehicle and handcuff us. My wife and I are losing too much 
sleep” 

The emotional impact on these victims is intense and their fears are real. Why 
would a criminal steal the information if there was no intent to sell, transfer or use 
it for an unlawful purpose? 

V. What Needs To Be Done With Regard to Minimizing the Risks of Identity 
Theft as to Information Brokers? 

Data brokers must be regulated by imposing Fair Information Practices as fol- 
lows: 

1. Transparency — The nature of personal data held by these companies should be 
readily available for inspection by the public. The uses of the information should be 
clearly defined. 

2. Consent and Notice — Consumers should be able to give their consent to the dis- 
closure of their information prior to disclosure, such as the rights with regard to 
disclosure of credit reports. The exceptions would be for defined categories of law 
enforcement and Homeland Security. In other words there should be an established, 
permissible purpose; i.e. — employment background checks, insurance, landlord ten- 
ant, etc. When a consumer gives his consent or it is considered a “permissible pur- 
pose,” the consumer should be entitled to notice of the sale, and the consumer 
should receive a free copy from the entity that bought the report. 

3. Consumer Access and Inspection — Individuals should have the right to one free 
disclosure per year as they have for credit reports. A central website and toll free 
numbers should be set up for consumers to get their entire profile — not just a “Clue 
Report.” If a person has become a victim of identity theft, he should be entitled to 
at least one other free disclosure per year for 24 months after learning of the stolen 
identity. The inspection report should be the same as would be accessed by a com- 
pany for a background check — the complete profile. The disclosure should also pro- 
vide a list of names, addresses and phone numbers of all entities that received a 
copy of such report in the last 5 years. This would include governmental entities 
except for specific guidelines of Homeland security or other law enforcement restric- 
tions. Employers or others who order background checks on a consumer should be 
required to provide a copy to the consumer upon receipt whether or not the con- 
sumer report was a factor in hiring or reviewing an employee or prospective em- 
ployee. 

4. Quality Controls and Timely Correction — The information collected should be 
accurate, complete, updated and relevant to the purpose for which it is to be used. 
The Data Broker industry should allow individuals to dispute and provide prompt 
correction of the files within no more than 30 days. The broker should reinvestigate 
without cost to the consumer and make all appropriate changes if the information 
cannot be verified. If after the data broker investigates, it finds that the investiga- 
tion verified the information, the company shall provide the name, address and 
phone number of the verifying entity so that the consumer can directly dispute the 
information. 

5. Strict Security Controls — There should be safeguards against risk of loss, unau- 
thorized access, alteration, hacking, etc. Audit trails and limited access should be 
standard, as well as encryption of the sensitive data. Customers should be screened 
both initially and with respect to how the end-user is safeguarding the information 
from unlawful use. In the event of a security breach, the data broker must notify 
all individuals whose information was acquired either on paper or electronically 
with a letter providing the consumer the nature of the breach, what information 
was stolen, how to protect themselves with fraud alerts, security freezes and other 
useful tools. They should also provide a free copy of the report that was accessed. 
Credit monitoring and a background check monitoring would be needed. (Fraud res- 
olution services may be necessary.) 

6. Enforcement — The data broker industry must be held accountable to consumers 
and victims. Outside audits and training should be mandatory. A private right-of- 
action is essential to allow enforcement of the provisions of the law. A private right- 
of-action provides that the cost of the legal system policing against acts of prevent- 
able corporate negligence is paid by the guilty parties rather than by increasing 
taxes or adding to the size of government. We have seen that many provisions of 
FACTA and the GLB Act have not been enforced because Federal agencies do not 
have the resources or manpower to take actions against all the violations, and why 
should our taxes be spent to right the wrongs of companies who violate the law. In- 
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dividuals should be able to seek redress for their damages without having to rely 
on the government to intervene, however for large cases, enforcement should be 
available in state courts by private parties, attorneys general and the FTC. 

7. Preserving States Rights — Consumer reforms with regard to identity theft have 
derived from proactive States that were responsive to the plight of its citizens. Some 
examples of this are: the right to a free credit report, annually, the right to place 
a fraud alert, the right of victims to obtain information from businesses and credi- 
tors to regain their identity. More recently we have found out about the security 
breaches of two of the data brokers here today only because of the California Secu- 
rity Breach law. Both ChoicePoint and LexisNexis admitted in a Senate hearing 
that they both experienced significant breaches prior to July 2003, when the Cali- 
fornia law became effective, and did not notify any of the victims of the breach. 
Since February 2005, over 4 million Americans have been victims of various security 
breaches. (See Exhibit II from the Wall Street Journal ) — none of which we would 
have heard about, but for the California law. Arizona and California, were the first 
two states to make identity theft a crime — leading all the states and the Federal 
Government to establish the consumer as a true victim. Numerous states are insti- 
tuting security freezes to lock up a consumer’s credit so fraud cannot continue. Fed- 
eral law should serve as a floor, not a ceiling, so that states can, if need be, quickly 
address the crises of their victims. 

VI. What Else Is Needed To Prevent and Resolve Identity Theft? 

1. Security Breach Notification must extend to all states — All governmental agen- 
cies, and private industry, schools, and other entities should be held accountable to 
quickly notify all persons whose sensitive and personal information (paper and elec- 
tronic files) were acquired by an unauthorized person. There should be an exception 
for encryption only if it is robust and if the unauthorized acquisition was not capa- 
ble of being decrypted by an unscrupulous employee or customer. The standard of 
providing notice should be triggered by the acquisition of the data rather than the 
use of it. A bank or other entity who experiences a breach should not be allowed 
to determine the possibility of the misuse. The only delay of notice would be for law 
enforcement upon its written request. Allowing the business or entity to make the 
call as to when there might be a risk of harm is like allowing the wolf to tend the 
henhouse. There should be enforcement by the FTC, State attorneys general and 
private individuals. Any preemption should be a floor and not a ceiling so that 
states can protect their own citizens regarding unique needs. As a member of the 
advisory board of the California Office Of Privacy Protection, we created a list of 
“Recommended Practices on Notification of Security Breaches Involving Personal In- 
formation” as a guide for dealing with security breaches, please visit 
www.privacy.ca.gov to review those standards. 

2. Governmental agencies as well as private industry should limit the use of the 
Social Security number since it is presently the key to kingdom of financial fraud — 
Our advisory board to the Office of Privacy Protection in the California Office of 
Consumer Affairs also had the privilege of developing the “Recommended Practices 
for Protecting the Confidentiality of Social Security Numbers” (www.privacy.ca.gov). 
This document should be considered by both pubic and private sector entities as a 
guide to protect all consumers. 

The Social Security number is used as the identifier for military cards and “dog- 
tags,” Medicare, Medicaid, pilot’s licenses, captain’s licenses, etc. No entity should 
be allowed to display, post, or sell the SSN. The SSN in public records should be 
redacted before posting. There should be no collection of SSNs by private or govern- 
mental agencies except where necessary for a transaction and there is no other rea- 
sonable alternative. SSNs collected for a specified purpose should not be used for 
any other purpose. 

3. Mandatory Destruction of Confidential Information — Governmental agencies 
and private industry should be required to completely destroy personal information 
that they are discarding by shredding, burning or whatever means is necessary to 
protect the information from dumpster-diving. This should extend to any confiden- 
tial and sensitive information — not just information derived from consumer reports. 

4. Departments of Motor Vehicle Licensing — Bureaus should establish more strin- 
gent monitoring and matching of duplicate licensing and new licenses. A photo ID 
and a fingerprint could be matched. Rather than developing a “national ID” with 
various forms of biometric information, credit cards and other unnecessary informa- 
tion which would complicate the process and invade privacy, this license would help 
deter interstate identity theft without collecting too much information nor allow it 
to be accessed or sold to private industry. 

5. Need for an Easier Process for Victims — Problems with the Fair and Accurate 
Credit Transactions Act (which was meant to make things easier for victims ) — 
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a. An Identity Theft Report is needed in order for victims to get an extended 
fraud alert, block the fraud on their profile, and gain access to records of the 
fraud — FACTA was meant to streamline and help victims of identity theft. 
However, the new rules recently released by the FTC with regard to the “Iden- 
tity Theft Report” clearly show the time-consuming maze that a victim must 
maneuver. Below is an example of the hassle of exerting your victim rights with 
regard to the FTC rule about the “Identity Theft Report.” 

“An Identity Theft Report may have two parts : 

Part One is a copy of a report filed with a local, State, or Federal law enforce- 
ment agency, like your local police department, your State attorney general, the 
FBI, the U.S. Secret Service, the FTC, and the U.S. Postal Inspection Service. 
There is no Federal law requiring a Federal agency to take a report about iden- 
tity theft; however, some State laws require local police departments to take re- 
ports. When you file a report, provide as much information as you can about 
the crime, including anything you know about the dates of the identity theft, 
the fraudulent accounts opened and the alleged identity thief. 

Note: Knowingly submitting false information could subject you to criminal 
prosecution for perjury. 

Part Two of an identity theft report ( depends on the policies of the consumer re- 
porting company and the information provider) (the business that sent the infor- 
mation to the consumer reporting company). That is, they may ask you to pro- 
vide information or documentation in addition to that included in the law en- 
forcement report which is reasonably intended to verify your identity theft. 
They must make their request within 15 days of receiving your law enforcement 
report, or, if you already obtained an extended fraud alert on your credit report, 
the date you submit your request to the credit reporting company for informa- 
tion blocking. The consumer reporting company and information provider then 
have 15 more days to work with you to make sure your identity theft report 
contains everything they need. They are entitled to take five days to review any 
information you give them. For example, if you give them information 11 days 
after they request it, they do not have to make a final decision until 16 days 
after they asked you for that information. If you give them any information 
after the 15-day deadline, they can reject your identity theft report as incom- 
plete; you will have to resubmit your identity theft report with the correct infor- 
mation:” ( FTC Rules) 

This rule is not only cumbersome it is confusing and allows the credit reporting 
agencies to delay unnecessarily and it gives victims a run around. I have al- 
ready heard from many victims who are frustrated, angry, and unable to block 
the fraud or even extend the fraud alert. 

b. Law enforcement agencies at the local, State and Federal level should develop 
a uniform “identity theft report” to be compliant with FACTA — and the FTC 
should determine what satisfies an “identity theft report” — New provisions of the 
Fair Credit Reporting Act require a detailed “identity theft report” to send to 
the credit grantors, and the credit reporting agencies. If a proper identity theft 
report is sent to the credit reporting agencies they are required to do the fol- 
lowing: place an extended fraud alert for 7 years, block all the fraud on the pro- 
file immediately; notify the creditor that the accounts are blocked. Additionally, 
if the victim provides a proper, identity theft report to the creditors, they must 
provide all documentation of the fraud to the victim and to the law enforcement 
agency within thirty days. Unfortunately, the agencies themselves are deciding 
what is “proper” and many victims contacted us because they are not able to 
appease the credit reporting agencies nor the credit grantors with the reports. 
So they cannot exert these rights afforded under the law and there is no private 
right-of-action to enforce these rights. 

The FTC should determine what will be acceptable as an identity theft report 
and facilitate the victim’s report. It should be adhered to by law enforcement 
as well as the financial industry without imposing an arduous task upon the 
victim. Also, the victim should be able to get a police report in the jurisdiction 
where she lives even if the impostor is in another state. And, the case should 
be able to be prosecuted in the jurisdiction where the victim lives or the juris- 
diction where the crime takes place. All police should be required to provide a 
proper identity theft report even if they do not have the resources to investigate 
the crime. 

c. Initial Fraud alert should be one year — FACTA allows a victim of a breach 
or fraud to place a fraud alert on credit profiles for at least 90 days with their 
first phone call. To extend the alert they must write a letter and provide an 
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“identity theft report. The initial fraud alert should be changed to at least 1 year 
especially because victims of a security breach may not be victimized for a long 
time. 

d. Free credit report for victim should be available by phone when calling in the 
fraud alert — Prior to the passage of FACTA, victims could order their free credit 
report to review their files at the same time they place a fraud alert. Now, the 
credit reporting agencies (except for TransUnion “temporarily”) do not give the 
victim an opportunity to get the free credit reports in the initial phone notifica- 
tion of the fraud. They are later sent a letter notifying them of their right to 
a free report upon request. This is another delay which allows the impostor 
more time to do his “dirty work,” and this is an added burden for the victim 
and costlier for the creditor. The victim should be allowed to order the first of 
his two free reports during the initial fraud alert phone call. 

e. Victims should be provided a complete report upon disputing the fraud and 
the victim should be able to see the report that the creditors see — The CRAs are 
now sending corrections instead of complete corrected reports to victims. This 
is dangerous since other new fraud may appear on the report. Also — the report 
that a creditor receives is more comprehensive than the report that the victim 
sees, so this is not complete disclosure. 

6. Funding for law enforcement for identity theft cases should be greatly increased 
since this is also a Homeland Security issue — All major metropolitan areas should 
be funded to set up identity theft task forces to include the Secret Service, the Post- 
al Inspector, the Social Security Inspector, the FBI, INS, State attorney general and 
local law enforcement to collaborate in the investigation and prosecution of these 
crimes since suspected terrorists will need to utilize stolen identities to attempt 
their missions. 

7. Law enforcement agencies should help victims of criminal identity theft — A Fed- 
eral law should set forth steps for law enforcement to take (in conjunction with the 
judicial system), to assist victims of criminal identity theft. So a victim of criminal 
identity theft in California, whose impostor is in New York, could be declared inno- 
cent in New York as well as California. This would entail a national database of 
the criminal information and fingerprints. It would contain the order of the true 
person’s fingerprints for comparison with the fingerprints of the impostor-criminal 
in New York. The court would enter a declaration of factual innocence and any war- 
rants for the victim would be dismissed. All databases would be corrected so that 
background checks would not show the victim as having an arrest or criminal 
record. (See California law and package for victims to clear their criminal record 
www. privacy, ca.gov ). 

8. Set up State and Federal Offices for Privacy Protection — There should be a Fed- 
eral office of privacy protection as well as State offices. The office of privacy protec- 
tion should institute an ombudsmen office to assist citizens with identity theft and 
other serious privacy issues. It should also coordinate and review the various gov- 
ernmental offices of privacy to ensure oversight. 

9. Credit Reporting Agencies — 

a. Consumers should be able to put a complete freeze on their credit reports in 
order to prevent identity theft — This would enable the consumer to prevent their 
credit report from being accessed by a creditor without the specific authoriza- 
tion of release with a password. California, Texas, Vermont and Louisiana have 
passed such laws. It would be impossible for an impostor to apply for credit if 
there were a freeze on the file. The consumer would have the right to release 
the file when he so desires by a password or pin number. Every State should 
pass this legislation or if it is Federal legislation, then there needs to be a pri- 
vate right-of-action and no Federal preemption. 

b. Credit reporting agencies should provide to victims a COMPLETE REPORT 
when providing corrections — All reports should include the names, addresses 
and phone numbers of the companies who accessed the consumer’s credit report, 
including inquiries with the issuance of a consumer report so that potential vic- 
tims could verify the permissible purpose. 

c. Credit reporting agencies should notify a consumer by e-mail when his/her 
credit report has been accessed — The agency should be allowed to charge a mini- 
mal fee for this service — as to actual cost (i.e., $10 per year), 

d. Credit reporting agencies should set up hotlines with live persons to talk to 
victims of identity theft — A live employee in the fraud department should be as- 
signed to a particular victim — so the victim doesn’t have to re-explain all the 
problems in numerous letters. 



84 


10. Banks and other Creditors should be held accountable for protecting consumers 
and others from identity theft — 

a. Creditors who issue credit to an impostor after a fraud alert is placed on a 
credit profde, should be held liable and the victim should have a private right- 
of-action to enforce his rights — Presently if a creditor ignores the fraud alert, 
only the Federal Trade Commission or other Federal agencies may bring and 
action and they clearly cannot enforce individual rights nor do they have the 
resources to deal with most of the violations. There should be a fixed penalty 
of at least $1000 per occurrence or actual damages, which ever is greater. 

b. Need for private enforcement of access to business records — If a fraud victim 
provides notification of fraud and includes an “identity theft report” and an affi- 
davit, under the FCRA, a creditor is required, within 30 days, to provide copies 
of all billing statements, applications and other documents of fraud to the vic- 
tim and the designated law enforcement agency. Presently, victims are con- 
tacting us that many companies are refusing to provide the information without 
a subpoena. Victims presently have no private right to force a company to pro- 
vide this data. Only the FTC, or other Federal agencies, may bring an action — 
but it cannot help an individual consumer. This must be changed so that there 
will be enforcement of the provision of the Act. 

c. Creditors should not be allowed to send “convenience checks” without a prior 
request by the consumer — I was told by a postal inspector that 35 percent of 
these checks are used fraudulently 

d. Credit grantors should not be allowed to send pre-approved offers of credit 
without a PRIOR the request of the consumer. 

Identity Theft Conclusions 

Personal, confidential, and financial information is a valued commodity in our so- 
ciety. Data brokers have flourished abundantly while selling and transferring your 
extensive, aggregated personal profiles which include your income, credit worthi- 
ness, buying, spending, traveling habits, heath information, age, gender, race, etc. 
Facts about our personal and financial lives are shared legally, and illegally, with- 
out our knowledge or consent — on-line and off-line everyday. Privacy protection in 
the age of data collection is really more about limiting access and instituting inspec- 
tion and correction to our records, rather than keeping the information secret. We 
have lost control over the dissemination of our sensitive data, and this has led to 
the enormous epidemic of identity theft. The huge data breaches in recent months 
have shined the light on the immensity of the problem of identity thieves and the 
havoc they cause. But it also has enlightened our lawmakers to collaborate to create 
a new framework for reasonable regulation of the data broker industry. 

To avert identity theft, the burden is on the data brokers, and the financial indus- 
try who are in the unique position on the front end, to take precautions, require 
verification, and authentication of employees, vendors, business associates and cus- 
tomers, and refuse to sidestep fair information principles. Data brokers, the credit 
reporting agencies and the financial industry is in a powerful position to prevent 
the fraud before the impostor can establish a parallel “shadow profile.” 

I am hopeful that as a result of the gigantic breaches of sensitive information, 
that this Congress will create a regulatory framework for the information brokers 
that will protect our citizens and enable the Data Broker industry to help society. 
I encourage you to strongly consider the thoughtful and well reasoned language of 
S. 500, which implements the Fair Information Principles, yet acknowledges the im- 
portance the work that the data industry provides, while safeguarding the identity 
of every American. 

Thank you for the opportunity to share these concerns and suggestions with this 
Honorable Committee. 
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Exhibit I 

Sample Auto Track Data on Fictitious Person From ChoicePoint 

National Comprehensive Report Plus Associates 
Compiled on 01/05/2002 at 3:39PM 
Reference: 123456 

ZACHARY K THUL DOB: JAN 1955 

SSN 960-45-XXXX issued in New York between 1968 and 1970 

Possible AKA’s for Subject 

THUL, ZACK K SSN: 960-45-XXXX 

Possible Other Social Security Numbers Associated with Subject 
THUL, ZACHARY K SSN: 690-45-XXXX 
THUL, ZACHARY K SSN: 690-45-XXXX 

**ALERT** A Death claim was filed for SSN 690-45-XXXX in FEB 1962. 

Possible Other Records/Names Associated with Social Security Numbers 

KIRBY, LOARDA SSN: 983-16-XXXX 

KIRBY, LORADA SSN: 960-45-XXXX 

Possible Driver Licenses 

THUL, ZACHARY K 

DL: T432117680470 issued in Ohio on 12/19/1996 expires 02/07/2001 
DOB: 01/17/1955 Height: 5'08" 

7891 W FLAGLER ST MIAMI, OH 38972 
Possible Addresses Associated with Subject 
SEP-1997/DEC-2000 — 7891 W FLAGLER ST 
MIAMI, OH 38972 

JUN-1995/AUG-1997 — 15 ROBY AVE (555) 123-4567 

HAMPTON BAYS, NY 11238 

JUN-1996/JUN-1996 — 1400 35TH ST K 41 

SPRINGFIELD, FL 34090 

MAY-1995/MAY-1995 — 4833 STORM ST APT 33 

SPRINGFIELD, OH 34443 

JUL-1994/JUN-1996 — 4833 STORM ST 133 

SPRINGFIELD, OH 34443 

SEP-1994/ JUL-1995 — 305 WAYBREEZE BLVD 

COLUMBUS, OH 34209 

DEC-1992/APR-1995 — 70 REARVIEW DR 

RIVERBEND, NY 11903 

438 BULLSIDE TER W 

HACKENSACK, NJ 09348 

The following is a sample National Comprehensive Report SM Plus Associates. 

The amount and type of records identified in a report will vary from subject to 
subject. All names and other information are fictional and are for illustrative pur- 
poses only. Any resemblance to real persons or public record information is uninten- 
tional. Some National Comprehensive Reports SM may locate a partial date of birth. 
Frequently, subjects of a National Comprehensive Report SM will be linked to other 
names because two public records reference two different names, but only one Social 
Security number. The most common reasons for these occurrences are: 

1. Typographical errors 

2. Jointly filed public records which list both the subject and the second name 

3. Father and son who have the same name 

4. Fraudulent use of a Social Security number The dates represent the approxi- 
mate time period when the linked address appeared on a publicly available record 
document for the subject. The subject may or may not have resided at any of the 
addresses. Some public records link the subject to an address without noting a date 
range. Addresses without date ranges will appear at the bottom of the address list. 
Such an address may be current or historical. Underlined Items provide a Link to 
record details. 

Phone Listings for Subject’s Addresses 
1400 35TH ST W SPRINGFIELD, FL 34090 

Over 100 phone numbers found, only same last name considered. 

4833 STORM ST SPRINGFIELD, OH 34443 
ACME RENTALS (555) 555-1935 
305 WAYBREEZE BLVD COLUMBUS, OH 34209 
THUL ZACHARY (555) 498-5525 
Possible Real Property Ownership 
4833 STORM ST SPRINGFIELD, OH 34443 
Ohio Assessment Record — County of: CLARK 
Owner Name: THUL, ZACHARY 
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Parcel Number: 998-8748-9448 

Short Legal Desc: STORM ST IR PT LOT 7& ADK J S BUCKINGHAM AM EST 
Property Type: SINGLE FAMILY 
Recorded Date: 

Situs Address: 4833 STORM ST I 33 
SPRINGFIELD, OH 34443 
Mailing Address: 7891 W FLAGLER ST 
MIAMI, OH 38972 

Assessment Year: 1995 Tax Year: 1997 
Assessed Land Value: Market Land Value: $366,800 
Assessed Improvements: Market Improvements: $192,000 
Total Assessed Value: Total Market Value: $558,800 
Most Recent Sale: $305,000 Prior Sale Price: 

A manual search of Real Property using the name THUL ZACHARY K is rec- 
ommended. 4 additional property records exist (including historicals) but are not in- 
cluded, as they do not match all necessary criteria. 

Possible Deed Transfers 

305 WAYBREEZE BLVD COLUMBUS OH 34209 

Ohio Deed Transfer Records — County of: FRANKLIN 

Parcel Number: T545663 

Legal Desc: LT 56 BLK 87 PB 14/38 

Sale Price: $84,000 Loan Amount: $67,200 

Contract Date: 8/14/1995 

Lender: LIBERTY SAV BK 

Situs Addr: 305 WAYBREEZE BLVD 

COLUMBUS, OH 34209 

Seller(s): THUL, ZACHARY K 

Buyer(s): SMITH, BART O 

Possible Vehicles Registered at Subject’s Addresses 
1400 35th ST K 41 SPRINGFIELD, FL 34090 

Plate: K387KJ State: NY Date Registered: 08/14/1995 Expire Date: 08/29/2000 
Title: 76174678 Title Date: 10/30/1998 
OWNER: ZACHARY K THUL 
Color: WHITE 

This message probably indicates that a multi-unit building is located at this ad- 
dress. 

By comparing the list of Possible Addresses Associated with Subject with the listed 
phone numbers in the Phones module, the report finds phone numbers, which have 
been listed at the given address. In this report, one property record was found in 
Real Property SM which matched the subject’s name and address and the properties 
situs address. This message indicates that additional records in Real Property SM 
match the subject’s name, but none of these records had a situs address that 
matched an address found at the top of the report. These additional properties may 
belong to the subject or may simply belong to someone with the same name. Search 
Real Property SM by name for a complete list of possible properties. A list of states 
and counties for which AUTOTRACK XP SM has deed transfer records can be located 
by choosing the Help link from the blue AUTOTRACK XP SM navigation bar at the 
top of the screen. The property information returned from this database may differ 
from the information found in Real Property SM . (See the above note on Possible 
Property Ownership.) A list of states for which AUTOTRACK XP SM has vehicle reg- 
istration records can be located by choosing the Help link from the blue 
AUTOTRACK XP SM navigation bar at the top of the screen. Underlined items pro- 
vide a link to record details. 

1999 DODGE GRAND CARAVAN SE 

DODGE GRAND CARAVAN SE— 3.3L V6 SOHC FLEXFUE 

VIN: 2B5CD3595EK253648 

MINIVAN 

Plate: ID036H State: FL Date Registered: 04/28/1999 Expire Date: 10/30/2000 
Title: 77465960 Title Date: 09/29/1998 
OWNER: ZACHARY K THUL 
Color: RED 

1997 CHEVROLET S10 PICKUP 
CHEVROLET S10 PICKUP— 2.2L L4 EFI OHV 8V 
VIN: 1GCCS144X8144822 
PICKUP 

Possible Watercraft 
Owner: THUL ZACHARY 
Address: 70 REARVIEW DR 
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RIVERBEND, NY 11903 
Year: 1988 Length: 41.9' MFG: 

Reg Number: K989495 State Registered: NY 
Hull Const.: FIBERGLASS 
Hull Number: 

Use: PLEASURE 
Propulsion: INBOARD 
Fuel: GASOLINE 

Possible FAA Aircraft Registrations 

Owner: THUL ZACHARY K 

Year: 1957 

Make: PIPER 

Model: PA-22 

N-Number: N0225J 

Aircraft: FIXED WING SINGLE ENGINE 

Address: 4833 STORM ST 133 

SPRINGFIELD, OH 34090 

Possible UCC Filings 

Original Date: 02/09/1988 

Action: INITIAL FILING Date: 1988 

File State: OHIO 

Debtor: ZACHARY THUL 

Address: 305 WAYBREEZE BLVD 

COLUMBUS OH 34209 

Secured Party: HOME SAVINGS & LOAN ASSOC 
AKRON OH 

Possible Bankruptcies, Liens and Judgments 
Court Location: EASTERN DISTRICT OF OHIO— FRANKLIN 
Filing Type: CHAPTER 7 DISCHARGE Filing Date: 08/14/1996 
Case Number: 98555555 Release Date:12/18/1996 
Creditor/Plaintiff: MARTIN T MARTINSON Amount: 

Debtor/Defender: THUYL ZACHARY K 
305 WAYBREEZE BLVD SSN: 960-45-XXXX 

A list of states for which AUTOTRACK XP SM has Uniform Commercial Code lien 
records can be located by choosing the Help link from the blue AUTOTRACK XP SM 
navigation bar at the top of the screen. 

COLUMBUS, OH 34209 
Attorney: MARTIN T MARTINSON 
Possible Professional Licenses 
Type: OHIO Professional License 
License Type: LICENSED SOCIAL WORKER 
Lie. Number: 42389 Status: ACTIVE 
Original Date: 01/10/1990 
SSN: DOB: 

Phone: 

Full Name: THUL, ZACHARY K 

Address: 4833 STORM ST 133 

SPRINGFIELD, OH 34090 

County: CLARK 

Possible FAA Pilot Licenses 

Pilot Name: THUL, ZACHARY K 

FAA Class: PRIVATE PILOT 

FAA Rating: SINGLE ENGINE LAND 

Medical Class: THIRD CLASS— VALID FOR 24 MONTHS 

Medical Date: 07/19/98 

FAA Region: NORTHWEST/MOUNTAIN— CO, ID, MT, OR, UT, WA, WY 

Address: 4833 STORM ST 133 

SPRINGFIELD, OH 34090 

Possible DEA Controlled Substance Licenses 

Business: PRACTITIONER 

Name: THUL, ZACHARY K MD Expires: 09/30/1999 
Address: 7891 W FLAGLER ST 
MIAMI OH 38972 

Authorized Drug Schedules: II, II, III, III, IV, V 
Possible Business Affiliations 
15 ROBY AVE HAMPTON BAYS, OH 11238 
STETSON HAULING, INC. OH 2543854 
CHAIRMAN ACTIVE 
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Officer Name Match Only (NOT necessarily affiliated) 

Matching Name : THUL ZACHARY K 

OLSON FAMILY PROPERTIES & INVESTMENTS, INC. MA 789123 

REG AGENT ACTIVE 

TOO HOT TO HANDLE FL H76543 

SECRETARY INACTIVE 

Possible Relatives (* denotes match with one of subject’s addresses) 

(R-l) THUL CLAIRE DOB: DEC 1954 
SSN 999-15-XXXX issued in New York in 1973 
SEP 1994/JUL 1998— *305 WAYBREEZE BLVD 
COLUMBUS, OH 34209 

Certain individuals and businesses are required to be registered under the Con- 
trolled Substance Act. Physicians, dentists, and veterinarians are among this group. 
For a more complete explanation and definition of the drug schedules, choose the 
Help link from the blue AUTOTRACK XP SM navigation bar at the top of the screen. 
A list of states for which AUTOTRACK XP SM has corporation records can be located 
by choosing the Help link from the blue AUTOTRACK XP SM navigation bar at the 
top of the screen. A person will qualify as a possible relative in the National Com- 
prehensive Report Plus Associates SM if he or she has the subject’s last name and 
has been linked to one or more of the same addresses which appear under Possible 
Addresses Associated with Subject on page 1. 

The asterisks indicate an address match between the possible relative and the 
subject of the report (see Possible Addresses Associated with Subject on page 1). 

JUL 1995/ JUL 1995— *15 ROBY AVE (555) 123-4567 

HAMPTON BAYS, NY 11238 

OCT 1994/OCT 1996—355 LAVERNE AVE 

COLUMBUS, OH 34492 

DEC 1992/DEC 1996— *70 LAKE VIEW DR 

RIVERHEAD, NY 11901 

(R-2) THUL TOMMY DOB: 

DEC 1995/DEC 1996—599 MAIN ST 
RIVERBEND, NY 11093 
APR 1995/AUG 1995—355 LAVERNE AVE 
COLUMBUS, OH 34492 

Other People Who Have Used the Same Address of the Subject 
(* denotes match with one of subject’s addresses) 

15 ROBY AVE HAMPTON BAYS, NY 11238 
(O-l) GENNINE LOWELL 

SSN 972-45-XXXX issued in New York between 1966 and 1969 
SEP 1993/SEP 1994—5 NEWTON AVE 
HAMPTON BAYS, NY 12983 
12 M BAY ST 

HAMPTON BAYS, NY 13987 

*15 ROBY AVE 

HAMPTON BAYS, NY 11238 

305 WAYBREEZE BLVD COLUMBUS, OH 34209 

(0-2) MARIE G SMITH 

SSN 991-25-XXXX issued in New Jersey in 1962 

SEP 1993/SEP 1994— *305 WAYBREEZE BLVD 

COLUMBUS, OH 34209 

AUG 1995/AUG 1996—301 BAYSIDE TER 

CHARLOTTE, OH 34258 

SEP 1993/SEP 1994— *438 BULLSIDE TER W 

HACKENSACK, NJ 09348 

Possible Licensed Drivers at Subject’s Addresses 

7891 W FLAGLER ST MIAMI, OH 33144 

THUL, EDWARD H 

DL: T600465 issued in Ohio on 07/27/1994 expires 09/11/2000 
DOB: 04/19/1969 Height: 5'02" 

1400 35TH ST K 41 SPRINGFIELD, FL 34090 
**No Drivers Found At This Address** 

4833 STORM ST 133 SPRINGFIELD, OH 34443 

**91 Drivers found at this address, only last name considered. ** 

**No Drivers Found At This Address** 

305 WAYBREEZE BLVD COLUMBUS, OH 34209 
THUL, STACEY B 

DL: T600788 issued in Ohio on 07/24/1994 expires 04/27/2001 
DOB: 05/26/1926 Height: 5'04" 
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Driver License Information is unavailable for the following states: NEW YORK, 
NEW JERSEY 

The report will attempt to locate a brief list of addresses for the possible relative. 
To possibly locate more current addresses for the relative, run a report by clicking 
on the underlined link. A person will qualify for this category in the National Com- 
prehensive Report SM Plus Associates if he or she has a last name different from the 
report subject’s last name and has been linked to one or more of the same address- 
es, which appear under Possible Addresses Associated with Subject on page 1. A per- 
son may be linked to one of the same addresses as the subject, even though he or 
she has never known the subject. Two people might be linked to the same address 
but at different time periods. For example, one person could be a former resident 
of the address where the subject now resides. Multiple address matches with the 
subject, denoted by multiple asterisks, will identify people who have a greater likeli- 
hood of knowing the subject. 

This message probably indicates that a multi-unit building is located at this ad- 
dress. 

Neighbor Phone Listings for Subject’s Addresses (only first six addresses included) 
7891 W FLAGLER ST MIAMI, OH 33144 

STATER OFFICE PRODUCTS 7895 W FLAGLER ST (555) 555-0482 

BIG ED’S MUFFLER SHOP 7897 W FLAGLER ST (555) 555-3358 

BUD’S USED CARS 7900 W FLAGLER ST (555) 555-8288 

15 ROBY AVE HAMPTON BAYS, NY 11238 

FELLINGHAM MIKE 4 ROBY AVE (555) 555-8697 

SCOTT GORDON G 6 ROBY AVE (555) 555-1297 

GHERSI JOHN 8 ROBY AVE (555) 555-6819 

ELIAS SIMON 9 ROBY AVE (555) 555-2659 

SCALCIONE STAN 10 ROBY AVE (555) 555-8425 

CANGIANO F P 12 ROBY AVE (555) 555-5217 

CORCORAN STEVE 26 ROBY AVE (555) 555-9917 

1400 35TH ST K SPRINGFIELD, OH 34443 

AHRENDT DAN 1400 35 ST K (555) 555-1664 

ALPIN JEFF 1400 35 ST K (555) 555-8117 

AMBROSE A 1400 35 ST K (555) 555-7553 

APURTON J 1400 35 ST K (555) 555-0735 

ARNOLD ROBY 1400 35 ST K (555) 555-4071 

BAKER C R 1400 35 ST K (555) 555-8490 

BALCHUNAS TERRY 1400 35 ST K (555) 555-5753 

BAMBERGER RICHARD 1400 35 ST K (555) 555-8203 

The following databases were searched but data for the subject was not found: 

ABI Business Directory, Active U.S. Military Personnel, Broward County Felonies/ 
Misdemeanors, Broward County Traffic Citations, Federal Firearms and Explosives 
License, Florida Accidents, Florida Banking and Finance Licenses, Florida Beverage 
License, Florida Boating Citations, Florida Concealed Weapon Permits, Florida Day 
Care Licenses, Florida Department of Education, Florida Felony/Probation/Parole, 
Florida Fictitious Name, Florida Handicap Parking Permits, Florida Hotels and Res- 
taurants, Florida Insurance Agents, Florida Marriages, Florida Money Transmitter 
Licenses, Florida Salt Water Product Licenses, Florida Securities Dealers, Florida 
Sexual Predator, Florida Tangible Property, Florida Tobacco License, Florida Un- 
claimed Property, Florida Worker’s Compensation Claims, Marine Radio Licenses, 
Significant Shareholders, Trademarks/Service Marks, and state-specific databases. 
***End of Report SS — 009/01*** 

Control Numbers: 5661614 — 5661620 — 1BF47FA5975FBA0 
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Exhibit II — The Wall Street Journal Online, May 2, 2005 


In the last few months, several major companies reported that customer data, in- 
cluding credit-card information, was compromised. The list includes: 


Company 

Date 

announced to 
general public 

Number of people 
affected 

Affected data 

Security breach 

Response 

ChoicePoint — 
compiler of con- 
sumer data. 

Feb. 15 

About 145,000 
consumers had 
data in the sys- 
tem. At least 750 
fraud cases are 
known. 

Addresses, Social 
Security num- 
bers and credit 
reports. 

Thieves posing 
as legitimate 
customers 
bought informa- 
tion. 

Informed Federal 
authorities. Will 
no longer sell 
sensitive, per- 
sonal data to cli- 
ents other than 
governmental 
agencies, accred- 
ited corporate 
customers or 
other businesses 
whose use is 
driven by a con- 
sumer-initiated 
transaction. 

Bank of Amer- 
ica — bank and 
credit-card com- 
pany. 

Feb. 25 

Holders of as 
many as 1.2 mil- 
lion Federal Gov- 
ernment charge 
cards. 

Social Security 
numbers. 

Computer 
backup tapes 
were lost. 

Contacted Fed- 
eral authorities, 
then consumers. 

DSW Shoe Ware- 
house — shoestore 
chain, a unit of 
Retail Ventures 
Inc. 

March 8 

Initially, the 
theft was said to 
be limited to 
about 100,000 
customers; a 
month later, it 
was raised to 1.4 
million. 

Credit- and 
debit-card, check- 
ing account and 
driver’s license 
numbers, and 
personal-shop- 
ping information. 

Hackers stole 
data from a data- 
base for 108 of 
the chain’s 175 
stores. 

Reported to Fed- 
eral authorities. 
Customers ad- 
vised to check 
credit-card state- 
ments. 

LexisNexis — 
consolidator of 
legal and busi- 
ness information, 
a division of 

Reed Elsevier 

PLC. 

March 9 

Initially, data for 
as many as 

32,000 con- 
sumers was at 
risk. A month 
later, raised to 
about 310,000, 
though only 59 
incidents of ille- 
gal action are 
known. 

Social Security 
numbers and 
driver’s license 
numbers. 

Unauthorized 
use of customer 
logins and pass- 
words. 

Informed Federal 
authorities and 
consumers, im- 
proved security, 
limited customer 
access to per- 
sonal data. 

Boston College* 

March 17 

Database in- 
cluded records on 
120,000 alumni. 

Addresses and 
Social Security 
numbers. 

Intruder hacked 
into a school 
computer oper- 
ated by an out- 
side fundraiser. 

Notified affected 
alumni. 

Polo Ralph 

Lauren — clothing 
retailer. 

April 14 

As many as 
180,000 cus- 
tomers who hold 
GM-branded 
MasterCards. 

Credit-card data. 

n.a. 

Card issuer 

HSBC notified 

consumers. 

Ameritrade — on- 
line discount 
stock broker. 

April 19 

About 200,000 
current and 
former customers 
from 2000 to 

2003. 

Varies by cus- 
tomer. 

Backup computer 
tape was lost in 
shipping. 

Notified affected 

consumers. 

Time Warner — 
media conglom- 
erate. 

May 2 

About 600,000 
current and 
former U.S. em- 
ployees back to 
1986. 

Social Security 
numbers and de- 
tails on bene- 
ficiaries and de- 
pendents. 

Backup computer 
tape was lost in 
shipping by an 
outside datastor- 
age company. 

Notified those af- 
fected. 


*Other recent university-level security breaches occurred at California State University-Chico, University of 
California-Berkeley, Tufts University and Northwestern University. 

Sources: WSJ, Associated Press, the companies. 

Note: Unless where noted, these are cases of data being at risk, not of data being fraudulently used. In all 
cases the stolen data included the names of the affiliated consumers. 


Senator Smith. Thank you very much. 
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This hearing has to conclude at 5 o’clock. And so, with that, I’ll 
let Senator Nelson — I know he has a number of questions. 

Senator Bill Nelson. OK. And, Mr. Chairman, what I’ll do is 
submit most of them in writing for the record. 

But let me just go through a couple of questions each for each 
of the four of you. 

Ms. Barrett, there was a report that, in your company, you had 
the theft of information through a person gaining illegal access to 
sensitive, personal information of 20 million people. When your 
company was alerted about this breach, Acxiom allegedly alerted 
its clients, but not the individual consumers that had been affected. 
Is it true — this report that’s in a book that we have read, entitled, 
“No Place to Hide ” — is it true that someone gained access to the 
sensitive records of 20 million people? 

Ms. Barrett. No, it’s not, Senator. The incident occurred in 
2003. It was a server that our clients use to transfer files to us for 
processing, and then we posted the results of that processing back 
on the file — on the server, to be transferred back to the client. 

The theft did involve many, many records. And, while that 20 
million number may be ballpark in terms of how many records 
were involved, that did not necessarily represent individuals. And 
it certainly in no way represented sensitive information. 

The standard for that particular server was that information of 
a sensitive nature — Social Security number and so forth — be 
encrypted. 

Senator Bill Nelson. Did law enforcement later search the per- 
petrator’s home and find a CD that contained the Acxiom data? 

Ms. Barrett. Yes. There were actually two perpetrators involved 
in this. And in one incident the perpetrator had copied information 
onto a CD and had it in his possession when law enforcement ap- 
prehended him. 

Senator Bill Nelson. And did that include the 20 million 
records? 

Ms. Barrett. I don’t know exactly how many records were on 
those CDs. We worked with law enforcement to identify the files 
that were involved. But it would have contained some of that infor- 
mation. 

Senator Bill Nelson. Well, if it — I mean, that’s what — the pur- 
pose of this hearing. We’re trying to point out what the problem is, 
and if there’s a CD in somebody’s home that they illegally stole, 
and it’s got 20 million records, that’s 20 million potential thefts. 

Ms. Barrett. It did not have 20 million records containing sen- 
sitive information. 

Senator Bill Nelson. How many did it have? 

Ms. Barrett. The CD? 

Senator Bill Nelson. Yes. 

Ms. Barrett. I do not know. I can try to get an estimate of that 
information for you. 

Senator Bill Nelson. And when you say “not sensitive informa- 
tion,” is a Social Security number sensitive information? 

Ms. Barrett. Absolutely. 

Senator Bill Nelson. How about a driver’s license number? 

Ms. Barrett. Absolutely. 

Senator Bill Nelson. So 
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Ms. Barrett. I would define “sensitive information” in the way 
that California has defined it in their notice-breach law. 

Senator Bill Nelson. But you don’t know how many numbers 
were taken from the company. 

Ms. Barrett. How many sensitive-information 

Senator Bill Nelson. That’s correct. 

Ms. Barrett. We do not know, exactly. Our clients sent us this 
information. In some cases, it’s encrypted, and — in many cases, the 
sensitive information is encrypted; in some cases, nonsensitive in- 
formation is encrypted. When we send the files back to the clients, 
what happened after the breach was, we identified which files had 
been accessed inappropriately and illegally, and our clients went 
through an inventory of exactly what data was included in those 
files. In many cases, we did not have the data in our possession. 

Senator Bill Nelson. Mr. Chairman, the point that I’m merely 
making here, instead of quibbling at the numbers, is that, so 
often — obviously, the company doesn’t want people to know that 
somebody has gained illegal access to the information. And the in- 
formation is often described in a certain figure. And in the case of 
both ChoicePoint and LexisNexis, the first figure that was given 
out publicly was much, much less than what it ultimately was. In 
the case of LexisNexis — and I’m a little more sensitive to this, be- 
cause it was a Florida company that they had acquired — and they 
first said it was 30,000, and then they admitted that it was 
300,000. So, we’ve got — I think the whole point here is, instead of 
quibbling with you about 20 million or one million or whatnot, that 
we’ve got a problem. 

All right, let me ask you about — you had made some assertions — 
specifically, an e-mail, Ms. Barrett, on May 21, 2002, to John 
Poindexter. And in that e-mail, you allegedly stated — and tell us if 
this is true — quote, “The U.S. may need huge databases of commer- 
cial transactions that cover the world,” and that Acxiom could build 
this mega-scale database. Why would such a — why would such a 
database of commercial transactions be necessary? And what steps 
has Acxiom taken to create this database? 

Ms. Barrett. Senator, I’m not familiar, specifically, with the e- 
mail that you’re referring to. 

Senator Bill Nelson. Did you send 

Ms. Barrett. Back in 

Senator Bill Nelson. — an e-mail to John 

Ms. Barrett. I did not 

Senator Bill Nelson. — Poindexter? 

Ms. Barrett. — personally send an e-mail to John Poindexter, no. 
I would — could check and see if someone from our company did. 

We worked with the Department of Defense and some of the staff 
on John Poindexter’s — in John Poindexter’s organization back in 
2002, in an advisory capacity talking about some of the projects 
that he was exploring. And, specifically, we advised that Depart- 
ment that there were significant privacy concerns that needed to 
be taken into account in the development of any kind of large-scale 
databases. 

Senator Bill Nelson. That information, supposedly — and we’ll 
check it out — was obtained under the Freedom of Information Act 
by the Electronic Privacy Information Center. And that’s 
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Ms. Barrett. I’m 

Mr. Rotenberg. Senator, the e-mail is on our website. 

Ms. Barrett. The e-mail is an e-mail — if it’s the specific situa- 
tion we’re talking about with EPIC, the e-mail is not from me; it 
is from a member of John Poindexter’s staff. 

Senator Bill Nelson. OK, thank you for clarifying that. Rather 
chilling. “The U.S. may need huge databases of commercial trans- 
actions to cover the world.” 

Let me ask you, Mr. Rotenberg, the Privacy Act of 1974, in part, 
prevented the Federal Government from creating central databases 
where all personal information could be stored for government ac- 
cess. It now appears at least some levels of government are out- 
sourcing this task to information brokers, witness my further — ear- 
lier questioning about Seisint and the database called Matrix. In 
your opinion, is the Federal Government complying with the letter 
and the spirit of the law of the Privacy Act of 1974? 

Mr. Rotenberg. No, it’s not, Senator. In fact, one of the things 
that we realized as we pursued a Freedom of Information Act re- 
quest involving ChoicePoint was the extraordinary amount of per- 
sonal information that was being obtained by Federal agencies for 
law enforcement purposes. 

Now, we don’t dispute that the information may have value for 
investigations. We understand that. The question is whether there 
is any legal safeguard in place to ensure that the Privacy Act prin- 
ciples, such as due process and oversight and protection of First 
Amendment freedoms, are being respected. 

And our view is that, in the absence of explicit application of the 
Privacy Act to the information brokers, the answer is that there is 
not the protection of the 1974 Act, as there should be. 

Senator Bill Nelson. Just quick questions here, because the 
Chairman needs to get out of here. Do you think the legislation 
that Senator Schumer and I have filed would help restore greater 
consumer privacy and reduce identity theft? 

Mr. Rotenberg. Yes, I do, Senator. And I think it is absolutely 
urgent for the Committee to act on it. One of the points that I 
make in my written statement is that the problem of identity theft 
is rapidly escalating in this country. In fact, today the Senate may 
take up the Real ID Act, a dramatic expansion of identification cre- 
dentials in this country, without even any debate. And you may be 
interested to know that state DMVs have become the targets of 
identity thieves. 

Senator Bill Nelson. Mr. Kurtz, what do you think about the 
legislation that we filed? 

Mr. Kurtz. Well, first of all, I want to commend you and Sen- 
ator — Senator Nelson and Senator Schumer for taking the lead on 
pulling together legislation in this space. I think there are several 
good points with regard to the legislation. First, notice, mandatory 
notice, and the scope which you’ve applied with regard to the no- 
tice. You’ve noted that it’s broader than just the data brokers that 
we need to think about. Two, you’ve talked about reasonable secu- 
rity measures and the importance of that. And I would note, in 
that space, under the Privacy Act, there are reasonable measures 
that need to be taken by the Federal Government in order to se- 
cure Social Security numbers and dates of birth and the like. 
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Three, you’ve given victims a place to go. We, at the Cyber Security 
Alliance, get a lot of calls, “Where do we go? Who are we supposed 
to talk to?” You can report it in to the FTC, as it is right now, but, 
frankly, they have limited means in order to deal with it. They can 
keep it in the Sentinel database and track things, but they don’t 
actually have an apparatus where you can go to actually do follow- 
up. 

And, the final point that I would make — and I’m probably leav- 
ing something out — is the importance of leadership. You’ve identi- 
fied the need to have the executive branch take a greater leader- 
ship role in cybersecurity overall, understanding that this is just 
not one single slice of an issue. All these issues that we’ve dealing 
with — phishing, spyware, data-warehouse security — they’re all 
interconnected. Having an Assistant Secretary at DHS to be that 
strategic leader would be incredibly helpful. 

Senator Bill Nelson. Thank you for that. I mean, and that un- 
derscores the next part of this legislation, which is protection of the 
homeland, as well as protection of our individuals. 

Thank you, Mr. Chairman. 

Senator Smith. Thank you, Senator Nelson. 

Senator Pryor, do you have a question? 

Senator Pryor. Mr. Chairman, if you need to head out, I can 

Senator Smith. Go ahead. 

Senator Pryor. OK. Because I don’t mind taking over the leader- 
ship of this Committee. I don’t think I can do a whole lot of damage 
from here. 

[Laughter.] 

Senator Pryor. As much as I’d like to. 

[Laughter.] 

Senator Pryor. But I can — I’ll be glad to. If you need to run, 
please just — I’ll try to make my questions brief. 

Mr. Rotenberg 

Senator Bill Nelson. We can do a mark-up if he leaves. 

[Laughter.] 

Senator Pryor. That’s right. If you’d just leave 

[Laughter.] 

Senator Pryor. — and allow us a little time here by ourselves, we 
would appreciate it. Do you mind? 

[Laughter.] 

Senator Smith. I trust you guys implicitly, but I think my col- 
leagues might question my wisdom, I’m sure. 

[Laughter.] 

Senator Pryor. Mr. Rotenberg, let me start with you, if I may. 
I want to know what your experience has been with credit-freeze 
laws in the states. And I’m seeing a story here — I believe it comes 
out of Texas, or maybe Vermont, I’m not quite sure — but can you 
tell us, first, what credit freeze is, and how it’s worked, if you think 
it’s a good idea? 

Mr. Rotenberg. Sure. Senator, I think it’s a very good idea. Sim- 
ply stated, what a credit freeze does is puts your credit report in 
the off-setting. In other words, it isn’t disclosed to others unless 
you decide that you want to make your credit report available. Cur- 
rently, credit reports are widely available. They’re used for very 
many purposes that most consumers aren’t aware of. And what the 
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four states have done that have passed credit-freeze legislation, has 
been to basically say to consumers, “If you need to get a home 
mortgage, if you need a loan for the car, sure, you’re going to want 
to make your credit report available. But, otherwise, that report 
will stay in the off-setting, and others won’t get access to it.” And 
we think it’s a very sensible way to reduce the risk of identity 
theft. 

Ms. Frank. May I add something? 

Senator Pryor. Yes. 

Ms. Frank. Our State was the first State to ask for it, and I 
helped with that legislation. The reason we had a need for a secu- 
rity freeze is because the fraud alerts weren’t working. In other 
words, when you became a victim of identity theft, you could call 
the credit-reporting agencies and put a fraud alert on your credit 
profile, and it says, “Don’t issue credit without calling me first.” 
What we were finding is that myriad victims would have that fraud 
alert on their credit profile, yet there were creditors that still 
issued credit. So, we went to the legislature and said, “We need 
something that is going to be a real key to lock the door.” And so, 
the credit freeze is such that a victim, or even, in our State, a con- 
sumer, can write to the credit-reporting agencies — and if you’re a 
victim, for free — you can put this credit freeze on, which gives you 
a password. So, let’s say I have a credit freeze on my credit report 
and I want to go out and buy a car. I can unfreeze, or “thaw,” with 
my password for a specific industry, like all the car dealerships, or 
I can do it for everyone. And then I refreeze it. Now, if you’re a 
non-victim, you pay $10 to freeze it or non-freeze it. 

If fraud alerts worked, which now you know, it’s written into the 
FACTA, which is the Fair and Accurate Credit Transactions Act — 
if they really worked 100 percent, and people called you, that 
would be one thing. But under FACTA, if a creditor issues credit 
when there’s a fraud alert on your credit report, you have no pri- 
vate right-of-action. You have no recourse. And so, I’m telling all 
California citizens, and those who are in the states that have this 
freeze, the only way you can guarantee that you can protect your- 
self from financial identity theft is to use the freeze. It won’t help 
you for criminal identity theft, but it will help you for financial. 

Senator Pryor. OK. Well, I — thank you for that. Ms. Frank, let 
me ask you, while we’re talking about this — changing gears a little 
bit — but we know that data brokers have information like Social 
Security numbers, dates of birth, you know, street addresses, 
records of what we purchase, you know, things like that, but can 
you give me some examples of information — if you know any — ex- 
amples of information that are so intensely private that the data 
should never be allowed to be shared? 

Ms. Frank. Well, if you look at my written testimony, on page 
17 

Senator Pryor. OK. 

Ms. Frank. — you will find an exhibit of an actual sample of 
AutoTrack, which is from ChoicePoint. It has not only the Social 
Security number, date of birth, aka’s, and then it says “other pos- 
sible Social Security numbers.” 

Senator Pryor. OK. 
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Ms. Frank. It also has, if you look down here, driver’s licenses, 
height, weight — let’s see — past addresses. You go down here, and 
it has other things, like, hmm, you name it, it’s in here, places 
you’ve lived, cars you’ve bought, boats or anything like that, if you 
have a pilot’s — any kind of license you ever had, any problem with 
the license, if you were ever suspended for something, deeds, all 
the deeds that you’ve ever owned. Now, some of these are public 
records. 

Now, I want to say one thing about public records. Death certifi- 
cates, birth certificates, marriage certificates, they have your Social 
Security number. In the State of California, we have passed laws 
to redact those numbers, because your mother’s maiden name, for 
example, is on your birth certificate, and your parents’ Social Secu- 
rity number is on your birth certificate. 

OK. So, if you look at this — I don’t want to take — I’m seeing the 
red light coming on — you can look, yourself, for — this thing goes 
from page 17 all the way to page 23 of all the things — 24. 

Senator Pryor. But are you saying that some of that is so in- 
tensely private that it should not be shared? 

Ms. Frank. Well, if you got this, which I have seen on other peo- 
ple — if you got this, you would have an entire package to take 
someones identity — it even says your family and your neighbors 
and your family’s name — the members of your family, who lives 
there, what licenses they have. And it even gives neighbors around 
the block. So, basically, if somebody wanted to steal your identity, 
Senator, they’d have everything that they need to talk about who 
you are, what properties you’ve owned, where you’ve lived. 

So, what I’m saying, it’s the entire profile that is so terribly 
frightening, and the Social Security number, at this point, is the 
key to the kingdom of identity theft. And it’s all in here. 

Senator Pryor. OK. One last question, if I may, Mr. Chairman, 
and this is for Ms. Barrett, and that is — you mentioned, during 
your testimony a few moments ago, that your company encrypts 
data. If we required all companies that handle, you know, person- 
ally identifiable data — if we required them to encrypt it, would that 
help solve this problem? 

Ms. Barrett. Yes, I think it would. Encryption is a wonderful 
tool for protecting data, both in the static state, as well as in tran- 
sit. And as one of the — it was mentioned earlier, information in 
transit is one of the riskier areas where identity thieves have an 
opportunity to take hold of data. 

Encryption is not as easy as we would like for it — to think it is. 
It’s not a plug-and-play kind of thing for companies to do. But we 
need all the incentives we can to make it much more of a universal 
standard. 

Ms. Frank. Senator, one thing. If we had encryption, it would 
not have helped in the ChoicePoint, when it’s a dirty insider. So — 
and, also, if you have somebody in the IT department who can un- 
encrypt — so, if you had encryption, that’s great, but you have to 
have an exception for security notice if it is a dirty insider. 

Senator Pryor. Mr. Chairman, I’m sorry, I think Mr. Kurtz had 
a 

Mr. Kurtz. Yes. Senator, Pryor, I just wanted to add — I think 
what California 1386 did, which I thought was rather elegant, was, 
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they didn’t mandate that encryption be used. They said that, for 
any unencrypted breach of information, that the owner of the infor- 
mation needed to be notified. I think the point that I guess I’m try- 
ing to make here is, we need to think more broader — broadly, and 
not just a technology mandate of one type of technology — or, excuse 
me, no mandates of specific type of technologies; let’s look at the 
whole set of tools that are available which are, in fact, technologies, 
policies, and expertise that need to be brought together. And I’ve 
outlined that in my written testimony for you folks to review. 

Senator Smith. So, it left it up to the companies and technologies 
to 

Mr. Kurtz. Yes, in fact 

Senator Smith. — to meet the standard, rather than to prescribe 
a standard. 

Mr. Kurtz. Yes. And, in fact, we haven’t talked about standards 
today, but there are standards out there that people can look and 
turn to in order to get some guidance as to what they might need 
to do in order to secure their systems. There are — you know, there 
are international standards, there are American standards that 
people could look at that could really be used for folks to turn to. 
Now, sometimes they’re criticized for being too broad, or to general, 
but there are some, you know, if you will, key guideposts there that 
companies can look at, or you could ask companies to look at, in 
order to ensure they’re doing the right thing. 

Senator Smith. And their motivation is, they’ve got legal liability 
for that. 

Mr. Kurtz. That’s an issue that the Congress might consider in- 
vestigating. What type of incentives might you build into this in 
order to get folks to go down that road? 

Senator Smith. Well, what did California do? What was their ele- 
gant solution? What was it? 

Mr. Kurtz. Their elegant solution was, they didn’t require 
encryption. 

Senator Smith. So, if they didn’t require it, did they just give 
them the assignment and left open the liability? 

Mr. Kurtz. Excuse me. I don’t have the language in front of me, 
but it basically said for any unencrypted breach of information, 
there’s a requirement to notify. So, if you unpack that, it means 
that if you encrypt, there is not an obligation to notify. 

Ms. Frank. And we’re thinking of amending that for — you know, 
we like the idea of encryption, but we’re thinking of amending it 
for those who know that there was access without encryption. 

Senator Smith. What’s the penalty if they don’t do all of that? 

Ms. Frank. Well, they can be sued. 

Senator Smith. OK. That’s what I’m getting at. 

Mr. Kurtz. Oh. 

Senator Smith. And do they specifically address that, or do they 
leave it open, do you recall? 

Ms. Frank. Well, I’m trying to think exactly what the language 
says, since 

Senator Smith. That’s OK. 

Ms. Frank. I can send it to you. I’ll give it you. 

Senator Smith. Senator, did you have any more questions? 
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Senator Pryor. All I was going to say is really just a comment. 
I notice in this month’s Fortune magazine, there’s a article called 
“The Great Data Heist,” and, in there, they talk about how security 
information typically walks out the door in one of three ways — 
hackers grab it, employees steal it, or companies lose it. And I 
think that’s probably right. I assume you all would agree with that. 
And so, what you’re saying is right. Encryption, I think, is an im- 
portant piece of this, but it doesn’t solve all the problems. It 
doesn’t — it’s not a cure-all. 

Mr. Kurtz. It’s not a panacea. 

Senator Pryor. Yes. 

Thank you, Mr. Chairman. 

Senator Smith. Thank you, Senator Pryor. 

And, ladies and gentlemen, thank you each for the contribution 
you’ve made to this first very important hearing on a very vital 
topic to the American people. We will, no doubt, be pursuing legis- 
lative proposals. The Chairman, Senator Stevens, has so indicated. 
But I think you have laid a good foundation in this hearing today, 
and we thank you very much for your time and contribution. 

We’re adjourned. 

[Whereupon, at 5:15 p.m., the hearing was adjourned.] 
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Prepared statement of Gail Hillebrand, Senior Attorney, Consumers Union 

Identity for Sale? Protecting Consumers from Identity Theft 

Summary 

Consumers Union, 1 the non-profit, independent publisher of Consumer Reports , 
believes that the recent announcements by ChoicePoint, Lexis-Nexis, and many oth- 
ers about the lack of security of our most personal information underscores the need 
for Congress and the States to act to protect consumers from identity theft. 

Identity theft is a serious crime that has become more common in recent years 
as we have delved further into the “information age.” According to the Federal 
Trade commission, 27.3 million Americans have been victims of identity theft in the 
past five years, costing businesses and financial institutions $48 billion and con- 
sumers $5 billion. Victims pay an average of $1,400 (not including attorney fees) 
and spend an average of 600 hours to clear their credit reports. The personal costs 
can also be devastating; identity theft can create unimaginable family stress when 
victims are turned down for mortgages, student loans, and even jobs. 

And as ongoing scandals involving ChoicePoint, Lexis-Nexis, and others point to, 
American consumers cannot fully protect themselves against identity theft on their 
own. Even consumers who do “everything right,” such as paying their bills on time 
and holding tight to personal information such as Social Security numbers and 
dates of birth, can become victim through no fault of their own because the compa- 
nies who profit from this information have lax security standards. 

Therefore, Congress and the States must enact new obligations grounded in Fair 
Information Practices 2 on those who hold, use, sell, or profit from private informa- 
tion about consumers. In this context, Fair Information Practices would reduce the 
collection of unnecessary information, restrict the use of information to the purpose 
for which it was initially provided, require that information be kept secure, require 
rigorous screening of the purposes asserted by persons attempting to gain access to 
that information, and provide for full access to and correction of information held. 

Consumers Union Recommends That Lawmakers Do the Following 

• Require notice of all security breaches: Impose requirements on businesses, non- 
profits, and government entities to notify consumers when an unauthorized per- 
son has gained access to sensitive information pertaining to them. Consumers 
Union supports S. 751, by Senator Dianne Feinstein, which would put these re- 


1 Consumers Union is a non-profit membership organization chartered in 1936 under the laws 
of the State of New York to provide consumers with information, education and counsel about 
goods, services, health and personal finance, and to initiate and cooperate with individual and 
group efforts to maintain and enhance the quality of life for consumers. Consumers Union’s in- 
come is solely derived from the sale of Consumer Reports, its other publications and from non- 
commercial contributions, grants and fees. In addition to reports on Consumers Union’s own 
product testing, Consumer Reports with more than four million paid circulation, regularly, car- 
ries articles on health, product safety, marketplace economics and legislative, judicial and regu- 
latory actions which affect consumer welfare. Consumers Union’s publications carry no adver- 
tising and receive no commercial support. 

2 The Code of Fair Information Practices was developed by the Health, Education, and Welfare 

Advisory Committee on Automated Data Systems, in a report released two decades ago. The 
Electronic Privacy Information Center has described the Code as based on these five principles: 
(1) There must be no personal data recordkeeping systems whose very existence is secret. (2) 
There must be a way for a person to find out what information about the person is in a record 
and how it is used. (3) There must be a way for a person to prevent information about the per- 
son that was obtained for one purpose from being used or made available for other purposes 
without the person’s consent. (4) There must be a way for a person to correct or amend a record 
of identifiable information about the person. (5) Any organization creating, maintaining, using, 
or disseminating records of identifiable personal data must assure the reliability of the data for 
their intended use and must take precautions to prevent misuses of the data. Electronic Privacy 
Information Center, http:/ / www.epic.org / privacy / consumer / code fair info.html. 

( 99 ) 
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quirements in place. We also believe that S. 768, introduced by Senator Charles 
Schumer and Senator Bill Nelson, will make an excellent notice of breach law. 

• Require and monitor security: Impose strong requirements on information bro- 
kers to protect the information they hold and to screen and monitor the persons 
to whom they make that information available. S. 768, as well as S. 500 and 
H.R. 1080, introduced by Senator Bill Nelson and Representative Ed Markey, 
respectively, would direct the Federal Trade Commission to develop such stand- 
ards and oversee compliance with them. 

• Give consumers access to and a right to correct information: Give individuals 
rights to see, dispute, and correct information held by information brokers. This 
is also addressed in the Schumer/Nelson and Nelson/Markey bills. 

• Protect SSNs: Restrict the sale, collection, use, sharing, posting, display, and 
secondary use of Social Security numbers. 

• Require more care from creditors: Require creditors to take additional steps to 
verify the identity of an applicant when there is an indicator of possible ID 
theft. 

• Grant individuals control over their sensitive information: Give individuals 
rights to control who collects — and who sees — sensitive information about them. 

• Restrict secondary use of sensitive information: Restrict the use of sensitive, per- 
sonal information for purposes other than the purposes for which it was col- 
lected or other uses to which the consumer affirmatively consents. 

• Fix FACTA: A consumer should be able to access more of his or her Fair and 
Accurate Credit Transactions Act (FACTA) rights, such as the extended fraud 
alert, before becoming an ID theft victim. Further, one of the key FACTA rights 
is tied to a police report, which victims still report difficulty in getting and 
using. 

• Create strong and broadly-based enforcement: Authorize Federal, State, local, 
and private enforcement of all of these obligations. 

• Recognize the role of states: States have pioneered responses to new forms of 
identity crime and risks to personal privacy. Congress should not inhibit states 
from putting in place additional identity theft and privacy safeguards. 

• Provide resources and tools for law enforcement: Provide funding for law en- 
forcement to pursue multi-jurisdictional crimes promptly and effectively. Law 
enforcement also may need new tools to promote prompt cooperation from the 
Social Security Administration and private creditors in connection with identity 
theft investigations. 

After a very brief discussion of the problem of identity theft, each recommendation 
is discussed. 

The Problem of Identity Theft Is Large and Growing 

Current law simply has not protected consumers from identity theft. The numbers 
tell part of the story: 

• According to the Federal Trade Commission, 27.3 million Americans have been 
victims of identity theft in the last five years, costing businesses and financial 
institutions $48 billion, plus another $5 billion in costs to consumers. 

• Commentator Bob Sullivan has estimated that information concerning two mil- 
lion consumers is involved in the security breaches announced over just the six 
weeks ending April 6, 2005. Is Your Personal Data Next?: Rash of Data Heists 
Points to Fundamental ID Theft Problem, http:l / msnbc.msn.com / id / 7358558 

• Based on a report to the FTC in 2003, which concluded that there were nearly 
10 million identity theft victims each year, Consumers Union estimates that 
every minute 19 more Americans become victims of ID theft. 

These numbers can’t begin to describe the stress, financial uncertainty, lost work- 
time productivity and lost family-time identity theft victims experience. Even finan- 
cially responsible people who routinely pay their bills on time can find themselves 
in a land of debt collector calls, ruined credit and lost opportunities for jobs, apart- 
ments, and prime credit. With more and more scandals coming out every week, the 
time has come for Congress to act to protect the security of our personal informa- 
tion. 
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Recommendations 

Notification 

Notice of security breaches of information, whether held in computerized or paper 
form, are the beginning, not the end, of a series of steps needed to begin to resolve 
the fundamental conundrum of the U.S. information U.S. society: collecting informa- 
tion generates revenues or efficiencies for the holder of the information but can pose 
a risk of harm to the persons whose economic and personal lives are described by 
that information. 

The first principle of Fair Information Practices is that there be no collection of 
data about individuals whose very existence is a secret from those individuals. A 
corollary of this must be that when the security of a collection of data containing 
sensitive information about an individual is breached, that breach cannot be kept 
secret from the individual. Recognizing the breadth of the information that business, 
government, and others hold about individuals, Consumers Union recommends a no- 
tice of breach requirement that is strong yet covers only “sensitive” personal infor- 
mation, including account numbers, numbers commonly used as identifiers for credit 
and similar purposes, biometric information, and similar information. This sensitive 
information could open the door to future identity theft, so it is vital that people 
know when this information has been breached. 

Consumers Union supports a notice-of-breach law which does the following: 

• Covers paper and computerized data. 

• Covers government and privately-held information. 

• Does not except encrypted data. 

• Does not except regulated entities. 

• Has no loopholes, sometimes called “safe harbors.” 

• Is triggered by the acquisition of information by an unauthorized person. 

• Requires that any law enforcement waiting period must be requested in writing 
and be based on a serious impediment to the investigation. 

• Gives consumers who receive a notice of breach access to the Federal right to 
place an extended fraud alert. 

Consumers Union supports S. 751, which contains these elements. S. 768 contains 
most, but not all, of these elements and in certain other respects provides additional 
protections. 

Three of these elements are of special importance: covering all breaches without 
exceptions or special weaker rules for particular industries, covering data contained 
on paper as well as on computer, and covering data whether or not it is encrypted. 
First, a “one rule for all breaches” is the only way to ensure that the notice is suffi- 
ciently timely to be useful by the consumer for prevention of harm. “One rule for 
all” is also the only rule that can avoid a factual morass which could make it impos- 
sible to determine if a breach notice should have been given. By contrast, a weak 
notice recommendation such as the one contained in the guidance issued by the 
bank regulatory agencies 3 cannot create a strong marketplace incentive to invest 
the time, money, and top-level executive attention to reduce or eliminate, future 
breaches. 

Second, unauthorized access to paper records, such as hospital charts or employee 
personnel files, are just as likely to expose an individual to a risk of identity theft 
as theft of computer files. Third, encryption doesn’t protect information from insider 
theft, and the forms of encryption vary widely in their effectiveness. Further, even 
the most effective form of encryption can quickly become worthless if it is not adapt- 
ed to keep up with changes in technology and with new tools developed by crimi- 
nals. 

A requirement to give notice of a security breach elevates the issue of information 
security inside a company. A requirement for swift, no-exemption notice of security 


3 That weak recommendation allows a financial institution to decide whether or not its cus- 
tomers need to know about a breach, and the explanatory material even states that it can reach 
a conclusion that notice is unnecessary without making a full investigation. Interagency Guid- 
ance on Response Programs for Unauthorized Access to Customer Information and Customer No- 
tice, 12 CFR Part 30, 12 CFR Parts 208 and 225, 12 CFR Part 364, 12 CFR Parts 568 and 570. 
Other reasons why those guidelines are insufficient to substitute for a statutory requirement 
to give notice include that they do not apply to non-customers about whom the financial institu- 
tion has sensitive data, that there is no direct or express penalty for violation of the guideline, 
and that their case-by-case approach will make it extremely hard to determine in which cir- 
cumstances the guidance actually recommends notice to consumers, complicating the process of 
showing that an obligation was unmet. 
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breaches should create reputational and other marketplace incentives for those who 
hold sensitive consumer information to improve their internal security practices. For 
example, California’s security breach law has led to improved data security in at 
least two cases. According to news reports, after giving its third notice of security 
breach in fifteen months, Wells Fargo Bank ordered a comprehensive review of all 
its information handling practices. The column quoted a memo from Wells Fargo’s 
CEO stating in part: “The results have been enlightening and demonstrate a need 
for additional study, remediation and oversight. . . . Approximately 70 percent of 
our remote data has some measure of security exposure as stored and managed 
today.” 4 

In another example, UC Berkeley Chancellor Robert Bigeneau announced plans 
to hire an outside auditor to examine data gathering, retention, and security, telling 
employees: “I insist that we safeguard the personal information we are given as if 
it were our own.” 5 This announcement followed the second announced breach of the 
security of data held by the University in six months, this one involving 100,000 
people. 6 

In the Sarbanes-Oxley Act, Congress recognized the importance of the “tone at the 
top,” and for that reason took steps to require the corporate boards and CEOs work 
to improve the quality and accuracy of audited financial statements. A strong, clear 
notice of security breach law, without exceptions, could similarly focus the attention 
of top management on information security — creating an incentive for a “tone at the 
top” to take steps to minimize or eliminate security breaches. 

Security 

Consumers Union supports S. 500 and H.R. 1080, introduced by Senator Bill Nel- 
son and Representative Ed Markey, respectively. These measures would direct the 
Federal Trade Commission (FTC) to promulgate strong standards for information 
security and a strong obligation to screen customers, both initially and with respect 
to how those customers further protect the information from unauthorized use. They 
also provide for ongoing compliance monitoring by the FTC. S. 768, the Schumer- 
Nelson bill, contains similar provisions. 

If Congress wanted to take even stronger steps with respect to information bro- 
kers, it could require information brokers to undergo annual audits, paid for by the 
broker and performed by an independent auditor retained by the FTC, with specific 
authority in the FTC to require corrective action for security and customer screen- 
ing weaknesses identified in the audit, as well as allowing the FTC to specify par- 
ticular aspects of information security that should be included in each such audit. 

Any Federal information broker law must require strong protections in specific as- 
pects of information security, as well as imposing a broad requirement that security 
in fact be effective and be monitored for ongoing effectiveness. Congress must deter- 
mine the balance between the public interest in the protection of data and the busi- 
ness interest in the business of information brokering. Security breaches and the 
effects on consumers of the ongoing maintenance of files on most Americans by in- 
formation brokers are issues too important to be delegated in full to any regulatory 
agency. 

Access and Correction 

Two of the basic Fair Information Practices are the right to see and the right to 
correct information held about the consumer. S. 768, S. 500, and H.R. 1080 all ad- 
dress these issues. While the Fair Credit Reporting Act (FCRA) allows consumers 
to see and correct their credit reports, as defined by FCRA, consumers currently 
have no legal right to see the whole file held on them by an information broker such 
as ChoicePoint and Lexis-Nexis, even though the information in that file may have 
a profound effect on the consumer. There is also lack of clarity about what a con- 
sumer will be able to see even under the FCRA if the information broker has not 
yet made a report to a potential employer or landlord about that consumer. 7 

Because the uses of information held by data brokers continue to grow and 
change, affecting consumers in myriad ways, consumers must be given the legal 
right to see all of the information data brokers hold on them, and to seek and win 
prompt correction of that information if it is in error. 


4 D. Lazarus, “Wells Boss Frets Over Security,” S.F. Chronicle , Feb. 23, 2005. http :/ / 
sfgate.com/cgi-bin / article. cgi?file= / c / a / 2005 / 02 123 / BUGBHBFCR1 l.DTL. 

5 “Cal Laptop Security Put Under Microscope,” April 6, 2005, Inside Bay Area , http:/ j 

www.insidebayarea.com / searchresults / ci 2642564. 

6 Opinion Page, Oakland Tribune , April 5, 2005. 

7 Testimony of Evan Hendricks, Editor/Publisher, Privacy Times before the Senate Banking 
Committee, March 15, 2005, http: II banking.senate.gov / files / hendricks.pdf 
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Protection for SSNs 

The Social Security number (SSN) has become a de facto national identifier in a 
number of U.S. industries dealing with consumers. Some proposals for reform have 
emphasized consent to the use, sale, sharing or posting of Social Security numbers. 
Consumers Union believes that a consent approach will be less effective than a set 
of rules designed to reduce the collection and use of sensitive consumer information. 

Take, for example, an analogy from the recycling mantra: “Reduce, reuse, recycle.” 
Just as public policy to promote recycling first starts with “reducing” the use of ma- 
terials that could end up in a landfill, so protection of sensitive, personal informa- 
tion should begin with reduction in the collection and use of such information. Re- 
strictions on the use of the Social Security number must begin with restricting the 
initial collection of this number to only those transactions where the Social Security 
number is not only necessary, but also essential to facilitating the transaction re- 
quested by the consumer. The same is true for other identifying numbers or infor- 
mation that may be called upon as Social Security numbers are relied upon less. 

Consumers Union endorses these basic principles for an approach to Social Secu- 
rity numbers: 

• Ban collection and use of SSNs by private entities or by government except 
where necessary to a transaction and there is no alternative identifier which 
will suffice. 

• Ban sale, posting, or display of SSNs, including no sale of credit header infor- 
mation containing SSNs. There is no legitimate reason to post or display indi- 
viduals’ Social Security numbers to the public. 

• Ban sharing of SSNs, including between affiliates. 

• Ban secondary use of SSNs, including within the company which collected them. 

• Out of the envelope: ban printing or encoding of SSNs on government and pri- 
vate checks, statements, and the like 

• Out of the wallet: ban use of the SSN for government or private identifier, ex- 
cept for Social Security purposes. This includes banning the use of the SSN, or 
a variation or part of it, for government and private programs such as Medicare, 
health insurance, driver’s licenses or driver’s records, and military, student, or 
employee identification. Any provision banning the printing of SSNs on identi- 
fying cards should also prohibit encoding the same information on the card. 

• Public records containing SSNs must be redacted before posting. 

• There should be no exceptions for regulated entities. 

• There should be no exception for business-to-business use of SSNs. 

Congress should also consider whether to impose the same type of “responsibility 
requirements” on the collection, sale, use, sharing, display and posting of other in- 
formation that could easily evolve into a substitute “national identifier,” including 
drivers license number, state non-driver information number, biometric information 
and cell phone numbers. 

Creditor Identity Theft Prevention Obligations 

Information is stolen because it is valuable. A key part of that value is the ability 
to use the information to gain credit in someone else’s name. That value exists only 
because credit granting institutions do not check the identity of applicants carefully 
enough to discover identity thieves before credit is granted. 

Financial institutions and other users of consumer credit reports and credit scores 
should be obligated to take affirmative steps to establish contact with the consumer 
before giving credit or allowing access to an account when there is an indicator of 
possible false application, account takeover or unauthorized use. The news reports 
of the credit card issued to Clifford J. Dawg, while humorous, illustrate a real prob- 
lem — creditor eagerness to issue credit spurs inadequate review of the identity of 
the applicant . 8 When the applicant is a dog, this might seem funny, but when the 
applicant is a thief, there are serious consequences for the integrity of the credit 
reporting system and for the consumer whose good name is being ruined. 

As new identifiers evolve, criminals will seek to gain access to and use those new 
identifiers. Thus, any approach to attacking identity theft must also impose obliga- 
tions on those who make that theft possible — those who grant credit, goods, or serv- 


8 Both the news stories about Clifford J. Dawg and a thoughtful analysis of the larger problem 
of too lax identification standards applied by creditors is found in C. Hoofnagle, Putting Identity 
Theft on Ice: Freezing Credit Reports to Prevent Lending to Impostors, in Securing Privacy in 
the Information Age (forthcoming from Stanford University Press), http :/ j papers.ssrn.com I sol3 1 
papers. cfm?abstract id=650162. 



104 


ices to imposters without taking careful steps to determine with whom they are 
dealing. 

At minimum, creditors should be required to actually contact the applicant to 
verify that he or she is the true source of an application for credit when certain trig- 
gering events occur. The triggering events should include any of the following cir- 
cumstances: 

• Incomplete match on Social Security number. 

• Address mismatch between application and credit file. 

• Erroneous or missing date of birth in application. 

• Misspellings of name or other material information in application. 

• Other indicators as practices change. 

Under FACTA, the FTC and the Federal financial institution regulators are 
charged with developing a set of red flag “guidelines” to “identify possible risks” to 
customers or to the financial institution. However, FACTA stops with the identifica- 
tion of risks. It does not require that financial institutions do anything to address 
those risks once identified through the not-yet-released guidelines. The presence of 
a factor identified in the guidelines does not trigger a statutory obligation to take 
more care in determining the true identity of the applicant before granting credit. 
Congress should impose a plain, enforceable obligation for creditors to contact the 
consumer to verify that he or she has in fact sought credit when certain indicators 
of potential identity theft are present. 

Control for Consumers Over Affiliate-Sharing, Use of Information, Use of Credit Re- 
ports and Credit Scores 

Consumers are caught between the growth in the collection and secondary use of 
information about them on the one hand and the increasing sophistication of crimi- 
nals in exploiting weaknesses in how that information is stored, transported, sold 
by brokers, shared between affiliates, and used to access credit files and credit 
scores. 

Identity theft has been fueled in part by information-sharing between and within 
companies, the existence of databases that consumers don’t know about and can’t 
stop their information from being part of, the secondary use of information, and the 
granting of credit based on a check of the consumer credit file or credit score with- 
out efforts to verify the identity of the applicant. 9 Consumers Union has consistently 
supported Federal and State efforts to give consumers the legal right to stop the 
sharing of their sensitive, personal information among affiliates. Finally, it is essen- 
tial to stopping the spread of numbers that serve as consumer identifiers that Con- 
gress and the States impose strong restrictions on the use of sensitive, personal in- 
formation for purposes other than the purpose for which the consumer originally 
provided that information. 

Fix FACTA 

FACTA has made some things more difficult for identity theft victims, according 
to information provided to Consumers Union by nonprofits and professionals who 
assist identity theft victims. Moreover, FACTA gives only limited rights to those 
who have not yet become victims of identity theft, and FACTA fails to offer a pure 
prevention tool for all consumers. A consumer who asserts in good faith that he or 
she is about to become a victim of identity theft gets one right under FACTA — the 
right to place, or renew, a 90 day fraud alert. However, this type of alert places 
lower obligations on the potential creditor than the extended alert, which is re- 
stricted only to identity theft victims. 

A consumer should be able to access more of his or her FACTA rights, such as 
the extended fraud alert, before becoming an identity theft victim. One key FACTA 
right is tied to a police report, which victims still report difficulty in getting and 
using. 

Here are some key ways to make FACTA work for victims: 

• Initial fraud alert should be one year, not 90 days. 

• Extended alert and other victims’ rights, other than blocking of information, 
should be available to all identity theft victims who fill out the FTC ID theft 
affidavit under penalty of perjury. 

• Business records should be available to any consumer who fills out the FTC ID 
theft affidavit under penalty of perjury. 


9 Secondary use is use for a purpose other than the purpose for which the consumer gave the 
information. 
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• Consumers who receive a notice of security breach should be entitled to place 
an extended fraud alert. 

• Consumers who place a fraud alert have the right under FACTA to a free credit 
report, but this should be made automatic. 

There is also work to do outside of FACTA, including work to develop a police re- 
port that could be given to victims that is sufficiently similar, if not uniform, across 
jurisdictions, so that the victim does not find creditors or businesses in another ju- 
risdiction refusing to accept a police report from the victim’s home jurisdiction. 

Congress Must Encourage the States To Continue To Pioneer Prompt 
Responses to Identity Crime 

Virtually every idea on the table today in the national debate about stemming 
identity theft and protecting consumer privacy comes from legislation already en- 
acted by a state. Congress must not cut off this source of progress and innovation. 
Instead, any identity theft and consumer privacy legislation in Congress should ex- 
pressly permit states to continue to enact new rights, obligations, and remedies in 
connection with identity theft and consumer privacy to the full extent that the State 
requirements are not inconsistent with the specific requirements of Federal law. 

Criminals will always be more fast-acting, and fast-adapting, than the Federal 
Government. An important response to this reality is to permit, and indeed encour- 
age, State legislatures to continue to act in the areas of identity theft and consumer 
privacy. Fast-acting states can respond to emerging practices that can harm con- 
sumers while those practices are still regional, before they spread nationwide. For 
example, California enacted its notice of security breach law and other significant 
identity theft protections because identity theft was a significant problem in Cali- 
fornia well before it became, or at least was recognized as, a national crime wave. 

Identity theft illustrates how much quicker states act on consumer issues than 
Congress. According to numbers released by the FTC, there were 9.9 million annual 
U.S. victims of identity theft in the year before Congress adopted the relatively mod- 
est rights for identity theft victims found in FACTA. The identity theft provisions 
adopted by Congress in FACTA were modeled on laws already enacted in states 
such as California, Connecticut, Louisiana, Texas, and Virginia. 10 

Strong and Broadly-Based Enforcement 

Consumers need effective enforcement of those obligations and restrictions Con- 
gress imposes in response to the increasing threats to consumer privacy, and of the 
growth of identity theft. A diversity of approaches strengthens enforcement. Each 
statutory obligation imposed by Congress should be enforceable by Federal agencies, 
the Federal law enforcement structure with the Attorney General and U.S. Attor- 
neys, and State attorneys general. Where a state is structured so that part of the 
job of protecting the public devolves to a local entity, such as a district attorney or 
city attorney, those local entities also should be empowered to enforce anti-identity 
theft and privacy measures in local civil or, where appropriate, criminal courts. 

There is also a role for a private right-of-action. It is an unfortunate reality in 
identity theft is that law enforcement resources are slim relative to the size of the 
problem. This makes it particularly important that individuals be given a private 
right-of-action to enforce the obligations owed to them by others who hold their in- 
formation. A private right-of-action is an important part of any enforcement matrix. 

Money and Tools for Law Enforcement 

Even if all the recommended steps are taken, U.S. consumers will still need vig- 
orous, well-funded law enforcement. At a meeting convened by Senator Feinstein 
which included some twenty representatives of law enforcement, including police de- 


10 See California Civil Code §§1785.11.1, 1785.11.2, 1785,16.1; Conn. SB 688 § 9(d), (e), Conn. 
Gen. Stats. §36a-699; IL Re. Stat. Ch. 505 §2MM; LA Rev. Stat. §§9:3568B.l, 9:3568C, 
9:3568D, 9:3571.1 (H)-(L); Tex. Bus. & Comm. Code §§20.01(7), 20.031, 20.034-039, 20.04; VA 
Code §§ 18.2— 186. 31:E. The role of the states has also been important in financial issues unre- 
lated to identity theft. Here are two examples. In 1986, California required that specific infor- 
mation be included in credit card solicitations with enactment of the then-titled Areias-Robbins 
Credit Card Full Disclosure Act of 1986. That statute required that every credit card solicitation 
to contain a chart showing the interest rate, grace period, and annual fee. 1986 Cal. Stats., Ch. 
1397, codified at California Civil Code §1748.11. Two years later, Congress chose to adopt the 
same concept in the Federal Fair Credit and Charge Card Disclosure Act (FCCCDA), setting 
standards for credit card solicitations, applications, and renewals. P. L. 100-583, 102 Stat. 2960 
(Nov. 1, 1988), codified in part at 15 U.S.C. §§ 1637(c) and 1610(e). The implementing changes 
to Federal Regulation Z included a model form for the Federal disclosure box which is quite 
similar to the form required under the pioneering California statute. 54 Fed. Reg. 13855, Appen- 
dix G. 



106 


partments, sheriffs, and district attorneys, law enforcement uniformly proposed that 
they be given tools to more effectively investigate identity theft. Law enforcement 
costs money, and the law enforcers noted that the multi-jurisdictional nature of 
identify theft increases the costs and time, it takes to investigate these crimes. 

Law enforcers in California and Oregon have noted a strong link between identity 
theft crime and methamphetamine. The Riverside County Sheriff noted at a March 
29, 2005 event that when drug officers close a methamphetamine lab, they often 
find boxes of fake identification ready for use in identity theft. The drug team has 
closed the lab; without funding for training and ongoing officer time, there may be 
no investigation of those boxes of identities. 

To prove a charge of attempted identity theft, a prosecutor may need to prove that 
the real person holding a particular driver’s license number, credit or debit card 
number, or Social Security number is different from the holder of the fake ID. Doing 
this may require the cooperation of a State Department of Motor Vehicles, a finan- 
cial institution, or the Social Security Administration. The public meetings of the 
California High Tech Crimes Advisory Committee have including discussion of the 
difficulties and time delays law enforcement investigators encounter in trying to ob- 
tain this cooperation. Congress should work with law enforcement and groups rep- 
resenting interest in civil liberties to craft a solution to verifying victim identity that 
will facilitate investigation of identity theft without infringing on the individual pri- 
vacy of identity theft victims and other individuals. 

Law enforcement may have more specific proposals to enhance their effectiveness 
in fighting identity theft. Consumers Union generally supports: 

• Funding for regional identity theft law enforcement task forces in highest areas 
of concentration of victims, and of identity thieves. 

• Funding for investigation and prosecution. 

• An obligation on creditors, financial institutions, and the Social Security Admin- 
istration to provide information about suspected theft-related accounts or num- 
bers to local, State, and Federal law enforcement after a simple, well designed, 
request process. 

Consumers Union believes that the time has come for both Congress and State 
legislatures to act to stem identity theft through strong and meaningful require- 
ments to tell consumers of security breaches; strong and detailed security standards 
and oversight for information brokers, reining in the use of Social Security numbers, 
increased control for consumers over the uses of their information, and obligations 
on creditors to end their role in facilitating identity theft through lack of care in 
credit granting. This should be done without infringing on the role of the states, 
with attention to the need to fund law enforcement to fight identity theft, and with 
attention to the need for private enforcement by consumers. We look forward to 
working with the Chair and Members of the Committee, and others in Congress, 
to accomplish these changes for U.S. consumers. These recommendations by Con- 
sumers Union have been informed by the work of victim assistance groups, privacy 
advocates, and others. 11 

Consumer Reports, June 2005 

The Fight Against Identity Theft 

by Jim Guest, President 

“I was mugged once, years ago,” one of our editorial researchers told me. “It was 
bad, but at least that guy had the guts to look me in the eye.” This time, she’d got- 


11 Many law enforcers, victim assistance workers, and consumer and privacy advocates were 
engaged in the issue of identity theft prevention long before the most recent ChoicePoint secu- 
rity breach came to light. Consumers Union has worked closely for many years on efforts to fight 
identity theft and protect consumer financial privacy with other national groups, and with con- 
sumer privacy and anti-identity theft advocates and victim assistance groups based in Cali- 
fornia. Our views and recommendations are strongly informed by the experiences of consumers 
reported to us by the nonprofit Privacy Rights Clearinghouse, the nonprofit Identity Theft Re- 
source Center, and others who work directly with identity theft victims. These groups have 
worked to develop the State laws that are the basis for many of the proposals now being intro- 
duced in Congress. Consumers Union is grateful for the leadership of the Privacy Rights Clear- 
inghouse in consumer privacy policy work, the work of the State PIRGs and U.S. PIRG on con- 
sumer identity theft rights which includes the preparation of a model State identity theft stat- 
ute in cooperation with Consumers Union, for the work for consumers on the accuracy of con- 
sumer credit reporting issues done over the past decade by the Consumer Federation of America 
and U.S. PIRG, and for the contributions to the policy debate of organizations such as the Elec- 
tronic Privacy Information Center, Privacy Times, and others too numerous to mention. 
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ten a call from her bank alerting her that someone in Oregon had just withdrawn 
$2,000 from her account. Since she and her husband were both at home in New 
York, that was very bad news. 

Like many of the estimated 10 million people a year whose lives and accounts are 
invaded by identity thieves, our staffer had been as cautious as she could be and 
still be part of today’s marketplace. But either her financial records were leaked or 
a hacker typed his or her way through the barriers protecting her account. 

In either case, companies who hold sensitive, personal and financial information 
about us, and the lawmakers who should be overseeing them, are failing to build 
stronger protections against the increasingly prevalent crime of ID theft. Law- 
makers and regulators must work fast. Here are three things that Consumers 
Union, the publisher of Consumer Reports, is pushing them to do: 

• Oversee information brokers, companies that collect and sell people’s personal 
and financial data. Federal law should require them to safeguard those data, 
sell data only to carefully screened clients, tell consumers what’s in their files, 
and correct mistakes promptly, since mistakes can lose you a job, a mortgage, 
or an insurance policy. 

• Pass strong Federal and State laws that require companies to notify the con- 
sumers whose personal and financial information they hold when their privacy 
is compromised. Now, only California residents have that protection. 

• Pass laws in every state allowing consumers to “freeze” their credit-bureau files. 
With a security freeze in place, your credit report and score can’t be given to 
potential new creditors unless you choose to “unlock” the file when you apply 
for, say, a car loan. Most businesses won’t issue new credit or loans without 
first checking credit records. This way, thieves will hit a brick wall trying to 
open an account in your name. 

There’s no single solution to shielding consumers from the fast-changing schemes 
of ID thieves, so Congress should preserve the right of States to continue developing 
ever more sophisticated guards. For more about what CU is doing, and for what you 
can do to protect yourself, go to our websites www.consumersunion.org / privacy and 
www. consumersunion. org I money. 


Statement of James X. Dempsey, Executive Director, Center for Democracy 

& Technology, 1 before the Senate Committee on the Judiciary, April 13, 

2005 

Securing Electronic Personal Data: Striking a Balance Between Privacy 
and Commercial and Governmental Use 

Chairman Specter, Senator Leahy, and Members of the Committee, thank you for 
the opportunity to testify today. Recent security breaches at a range of companies 
and institutions resulting in the loss of sensitive, personal information have high- 
lighted the need for a more substantial legal framework at the national level for en- 
tities collecting, using and selling personal data. A range of harms, including iden- 
tity theft, can flow from the failure to protect electronic personal data and from gov- 
ernmental or corporate misuse of data or reliance on inaccurate data. We offer here 
today an overview of the policy landscape and suggest some approaches that Con- 
gress should consider to ensure the appropriate level of security and privacy protec- 
tion. We look forward to working with you and interested stakeholders to achieve 
balanced solutions. 

The New Marketplace for Personal Data 

In the past decade, the commercial collection and sale of personal information has 
changed dramatically, driven by a combination of factors, facilitated by the Internet, 
and resulting in an ever more rapid flow of sensitive, personal information in ways 
that most consumers barely understand. The implications for commerce, national se- 
curity and personal privacy have been detailed in recent books such as Robert 
O’Harrow’s “No Place to Hide.” 

The private sector and the Federal Government have many legitimate needs for 
personal information, and the sharing of data offers benefits to consumers in the 


1 The Center for Democracy & Technology (CDT) is a non-profit public interest organization 
dedicated to promoting privacy and other democratic values for the new digital communications 
media. Among other activities, CDT coordinates the Digital Privacy and Security Working Group 
(DPSWG), a forum for computer, communications, and public interest organizations, companies 
and associations interested in information privacy and security issues. 
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form of readily available credit. Businesses and non-profit entities, ranging from 
landlords to retailers, to lawyers, to universities, obtain and share personal informa- 
tion to provide services and facilitate economic transactions. Indeed, an important 
use of commercial data services is for anti-fraud purposes, including the prevention 
of identity theft. The Federal Government uses personal information to determine 
eligibility for government benefits, to support law enforcement, and to fight the war 
on terror. 

An important category of this information is drawn from public records at court- 
houses and other government agencies. Data brokers (we use the term throughout 
our testimony for lack of a better one, without intending to be derogatory and recog- 
nizing that it is not well-defined) add considerable value by aggregating and catego- 
rizing this information to provide a more complete picture of the individuals to 
whom it pertains. 

While data brokers provide important services to the government and the private 
sector, they also raise a host of privacy issues and concerns about the security of 
this information. The recent security breaches at ChoicePoint and LexisNexis have 
prompted calls for examination of this new industry. Already-regulated entities, 
such as Bank of America, have also lost control of sensitive, personal information. 
So have merchants whose primary business is not data aggregation. DSW Shoe 
Warehouse, a chain of shoe retailers, announced recently that someone had stolen 
customers’ credit card information from its database. And the New York Times re- 
ported that already this year nine universities have reported the loss or compromise 
of sensitive, personal information. 2 Precisely because databases of electronic per- 
sonal data have tremendous value, they are attracting identity thieves. 

Even legitimate uses of personal data can result in harm to individuals. For in- 
stance, individuals can suffer adverse consequences when data brokers sell inac- 
curate or incomplete information that results in the loss of employment opportuni- 
ties. In the context of government use of personal information, adverse consequences 
could include being suspected of criminal or terrorist activity. 

Congress has addressed privacy and security issues with respect to credit report- 
ing agencies in the Fair Credit Reporting Act (FCRA), financial institutions in 
Gramm-Leach-Bliley (GLB), and healthcare providers in the Health Insurance Port- 
ability and Accountability Act (HIPAA). But Congress’s sectoral approach to infor- 
mation privacy has left gaps in the coverage of the law. 

Overview of Policy Responses 

We see at least five sets of issues facing Congress at this time: 

1. As a first step towards preventing identity theft, entities, including govern- 
ment entities, holding personal data should be required to notify individuals in 
the event of a security breach. 

2. Since notice only kicks in after a breach has occurred, Congress should re- 
quire entities that electronically store personal information to implement secu- 
rity safeguards, similar to those required by California AB 1950 and the regula- 
tions under Gramm-Leach-Bliley. 

3. Congress should impose tighter controls on the sale, disclosure and use of So- 
cial Security numbers and should seek to break the habit of using the SSN as 
an authenticator. 

4. Congress should address the Federal Government’s growing use of commer- 
cial databases, especially in the law enforcement and national security contexts. 

5. Finally, Congress should examinee the “Fair Information Practices” that have 
helped define privacy in the credit and financial sectors and adapt them as ap- 
propriate to the data flows of this new technological and economic landscape. 

What Is Privacy? 

Information privacy is not merely about keeping personal information confiden- 
tial. Rather, it is well established by United States Supreme Court cases, the Fed- 
eral Privacy Act, and privacy laws like the FCRA and HIPAA that the concept of 
privacy extends to information that an individual has disclosed to another in the 
course of a commercial or governmental transaction and even to data that is pub- 
licly available. 3 Information privacy is about control, fairness, and consequences. 


2 Tom Zeller, Jr., Some Colleges Falling Short In Data Security, New York Times, Apr. 4, 2005, 
at Bl. 

3 In United Sta tes Department of Justice v. Reporters Committee for Freedom of the Press, 489 
U.S. 749, 762-63 (1989), the Supreme Court rejected the “cramped notion of personal 
privacy”that “because events . . . have been previously disclosed to the public, . . . [the] privacy 
interest in avoiding disclosure of a . . . compilation of these events approaches zero.” The Court 
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Data privacy laws limit the use of widely available, and even public, information 
because it is recognized that individuals should retain some control over the use of 
information about themselves and should have redress to the consequences that re- 
sult from others’ use of that information. A set of commonly accepted “Fair Informa- 
tion Practices” captures this broader conception of privacy and is reflected, albeit 
in piecemeal fashion, in the various privacy laws and in the practices of commercial 
entities and government agencies. These principles govern not just the initial collec- 
tion of data, but also the use of information collected and shared in the course of 
governmental and commercial transactions. 

The “Fair Information Practices” were first articulated in the 1970s and have 
been embodied in varying degrees in the Privacy Act, the FCRA, and the other “sec- 
toral” Federal privacy laws that govern commercial uses of information. The concept 
of Fair Information Practices (FIPs) has remained remarkably relevant despite the 
dramatic changes in information technology that have occurred since they were first 
developed. While mapping these principles to the current data landscape poses chal- 
lenges, and while some of the principles may be inapplicable to public record data, 
they provide a remarkably sound basis for analyzing the issues associated with cre- 
ating a policy framework for the privacy of commercial databases. 

The FIPs principles are variously enumerated, but we see eight: (1) notice to indi- 
viduals of the collection of personally identifiable information, (2) limits on use and 
disclosure of data for purposes other than those for which the data was collected 
in the first place, (3) limitations on the retention of data, (4) a requirement to en- 
sure the accuracy, completeness and timeliness of information, (5) the right of indi- 
viduals to access information about themselves, (6) the opportunity to correct infor- 
mation or to challenge decisions made on the basis of incorrect data, (7 ) appropriate 
security measures to protect the information against abuse or unauthorized disclo- 
sure, and (8) the establishment of redress mechanisms for individuals wrongly and 
adversely affected by the use of personally identifiable information. 4 

A lot more work would be needed to develop a regulatory framework imposing all 
of these principles on all entities that hold or use personally identifiable data. Nev- 
ertheless, these principles do provide a framework for analyzing the current situa- 
tion. They suggest certain immediate steps that Congress could take. 

Notice of Breach 

As a first step, there should be a national requirement that individuals be notified 
when their information held by a third party is obtained by an unauthorized user. 
CDT would support appropriate Federal legislation modeled on the California disclo- 
sure law that would require holders of sensitive, personal information to notify peo- 
ple whose information might have been stolen or otherwise obtained by unauthor- 
ized persons. 5 Some industry leaders have also supported Federal notice legislation, 
as did the Chairman of the Federal Trade Commission at earlier Congressional 
hearings. 

The California law worked well after the ChoicePoint security breach. As a result 
of the California law, ChoicePoint was required to notify individuals so they could 
take protective action. And public pressure led ChoicePoint to give nationwide no- 
tice. California is currently the only state with such a law on the books, but other 
states are currently considering similar legislation. Congress should enact Federal 
legislation that is as protective as the California statute. 

There has been some debate about when entities should be required to give notice 
of a breach. Some have argued that the holder of the information should be allowed 


held in that case that the government can withhold from public disclosure databases composed 
entirely of publicly available data because there is a “distinction, in terms of personal privacy, 
between scattered disclosure of the bits of information . . . and revelation of the [information] 
as a whole.” The Court based its ruling on the conclusion that, “Plainly there is a vast difference 
between the public records that might be found after a diligent search of courthouse files, county 
archives, and local police stations throughout the country and a computerized summary located 
in a single clearinghouse of information.” 489 U.S. at 764. The Court rejected the notion that 
an individual has no privacy interest in data that is publicly available somewhere. See id. at 
770 (“In sum, the fact that an event is not wholly ‘private’ does not mean that an individual 
has no interests in limiting disclosure or dissemination of the information.” (quotation omitted)). 
See also Reno v. Condon, 528 U.S. 141, 148 (2000) (upholding Federal statute restricting States’ 
sale of driver’s license information to commercial entities even though the information was 
available to the public for a range of purposes). 

4 http:/ / www.cdt.org / privacy / guide / basic / generic.html. 

5 The California law states that any agency or business "that owns or licenses computerized 
data that includes personal information shall disclose any breach of the security of the system 
following discovery or notification of the breach in the security of the data to any resident of 
California whose unencrypted personal information was, or is reasonably believed to have been, 
acquired by an unauthorized person.” Cal. Civ. Code § 1798.29(a), § 1798.82(a). 
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to exercise discretion in determining whether the breach is one that poses a signifi- 
cant risk of harm to individuals. Concern has been expressed that if consumers are 
notified of every security breach, they would receive too many notices and become 
immune to them. While the risk of over-notification is real, guidance issued by the 
State of California on its disclosure law seems to address concerns about over-notifi- 
cation. An appropriate standard might be to require entities that discover a breach 
of security of a system containing unencrypted personally identifiable data in elec- 
tronic form to notify any U.S. resident whose data was, or is reasonably believed 
to have been, acquired by an unauthorized person. If the entity is not certain wheth- 
er the breach warrants notification, it should be able to consult with the Federal 
Trade Commission. This would allow the entities to avoid giving notice in the case 
of accidental unauthorized access that does not pose a risk of harm to the public, 
while ensuring that the public is adequately protected in those cases where data has 
been acquired unlawfully. Additionally, it may be desirable to have a two-tiered sys- 
tem, with notice to the FTC of all breaches of personal data and notice to consumers 
where there is a potential risk of identity theft. Broader notice to the FTC would 
help with oversight and would allow for adjustment in reporting thresholds. 

Notice alone, however, is not enough. Consideration needs to be given to the ques- 
tion of what options a consumer has after receiving notice of a breach. Consumers 
can require a fraud alert on their credit reports, but under current law that has 
to be renewed every 90 days unless the individual is actually the victim of identity 
theft, in which case he is entitled to a 7 year notice. Another approach is to give 
consumers the ability to “freeze” their credit reports, blocking their release and thus 
preventing the issuance of credit. Texas and California currently allow credit report 
freezes, and Vermont and Louisiana freeze legislation is supposed to take effect this 
summer. At least 15 other states are considering similar legislation. 6 Another way 
to allocate risk may be to create a “Do Not Issue Credit without Verification List,” 
allowing consumers to post a warning to creditors to obtain additional identity 
verification before issuing credit. This would not be a freeze, but would put creditors 
on alert that they need to be careful. 

Security of Personally Identifiable Information 

While notice legislation would be helpful in mitigating the damage from a security 
breach and might prod companies to improve security proactively, Congress should 
enact legislation requiring commercial entities that hold personal information to im- 
plement information security programs. Already there is a patchwork of require- 
ments. Financial institutions are already subject to information security require- 
ments under Gramm-Leach-Bliley, 7 and the Health Insurance Portability and Ac- 
countability Act imposes similar requirements on health care providers and insur- 
ers, 8 the Sarbanes-Oxley legislation also has a provision that is interpreted as im- 
posing some kind of data security obligation. The Federal Trade Commission has ex- 
ercised its Section 5 authority and obtained consent agreements with a number of 
companies that are looked to as models. And the California law known as AB 1950 
has imposed a general data security obligation on companies doing business there. 

It is probably time to bring some uniformity to these requirements. The Federal 
Trade Commission regulations implementing Gramm-Leach-Bliley provide a good 
framework and probably have about the right level of detail for security programs 
for data brokers and other commercial entities. 9 They require an entity to develop, 
implement and maintain a comprehensive information security program that con- 
tains administrative, technical and physical safeguards that are tailored to the size 
and nature of the entity. Among other elements of a security program, they require 
entities that hold personal information to conduct a risk assessment to identify and 
develop systems to protect against anticipated threats and unauthorized access to 
information, to train employees, to audit their systems to identify unauthorized ac- 
cess, and to periodically reassess the program’s effectiveness. Otherwise, the FTC 
approach gives entities that collect and store personal information the flexibility to 
develop security programs that fit their business models. 

Social Security Number Protection 

Personal privacy is not just threatened by ineffective or nonexistent information 
security systems, however. Another threat to personal privacy is the proliferation 
and misuse of Social Security numbers. When the Federal Government first issued 


6 Andrew Shain, “Nation, N.C. address ID security breaches,” Charlotte Observer, Mar. 24, 
2005, http:l / www.charlotte.com/ mid / charlotte / 11215774.htm. 

7 15 U.S.C. § 6801(b). 

8 Pub. L. 104-191, §264. 

9 See Standards For Safeguarding Customer Information, 16 C.F.R. §§314.1— .5 (2005). 
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Social Security numbers in 1936, it limited their use to identifying accounts for 
workers with earnings from jobs covered by the Social Security Act of 1935. Social 
Security numbers were not supposed to serve as the universal identifiers that they 
have become. In fact, they were initially called Social Security Account Numbers 
and for many years the words “Not For Identification”appeared on Social Security 
cards. 10 Over time, however, Social Security numbers have become de facto national 
identifiers, serving as the key that unlocks many databases containing medical 
records, university records, employee files and bank records, just to name a few. 

Worse, the SSN is used as an authenticator. That is, it is used like a PIN num- 
ber — even though SSNs are widely available, entities treat them as if they were a 
secret and that therefore someone is you if be knows your SSN. This is very poor 
security practice. As a result, Social Security numbers are a major factor in identity 
theft. 

CDT supports legislation that would tighten controls on the sale, purchase and 
display of Social Security numbers. Given the ubiquity of Social Security numbers 
in the public domain, it might not be possible to prevent criminals from acquiring 
them, but that does not mean we should give up trying to curtail the SSN’s overuse 
and misuse. We believe that this can be done without prohibiting the use of the SSN 
as an identifier or disambiguator in large databases. Certainly, the SSN should be 
phased out as a student or employee ID number reflected on ID cards, transcripts 
and other records disclosed outside an institution. Congress should also, where fea- 
sible, limit the use of Social Security numbers by government entities. In particular, 
states should be prohibited from using Social Security numbers on drivers’ licenses. 

These changes will have limited effect, however, unless it is also recognized that 
it is poor security practice to use the SSN as an authenticator — treating it like a 
password or an obscure bit of information likely to be known only to the one person 
to whom it was issued. The habit of relying on the SSN for verification of identity 
needs to be broken. 11 

Government Use of Commercial Databases 

An often overlooked but very important issue is the Federal Government’s use of 
commercial databases. As discussed earlier, the government uses commercial data 
for law enforcement and national security purposes. The Privacy Act of 1974 was 
supposed to subject government agencies that collect personally identifiable informa- 
tion to the Fair Information Practices, but the Act’s protections only apply to Fed- 
eral “systems of records.” 12 That means that the government can bypass the Pri- 
vacy Act by accessing existing private sector databases, rather than collecting the 
information itself. Thus, although the Privacy Act requires notice to and consent 
from individuals when the government collects and shares information about them, 
gives citizens the right to see whatever information the government has about them, 
and holds government databases to certain accuracy standards, none of those rules 
applies when the government accesses commercial information without pulling that 
data into a government database. Currently, the government need not ensure (or 
even evaluate) the accuracy of the data; it need not allow individuals to review and 
correct the data; and the government is not limited in how it interprets or charac- 
terizes the data. 

Commercial information can and should play a key role in law enforcement and 
national security investigations. But agencies relying on that data should have clear 
guidelines for its use — guidelines that both protect individual rights and ensure the 
information is useful for investigative purposes. 

One option would be to make it clear that the Privacy Act applies whether the 
government is creating its own database or acquiring access to a database from a 
commercial entity. Also, Congress could apply the concept of Privacy Impact Assess- 
ments to the acquisition of commercial databases. Section 208 of the E-Government 
Act of 2002 already requires a PIA if the government initiates a new “collection” 
of information. 13 The same process should apply when the government acquires ac- 


10 www.epic.org / privacy / hew 1973report / c7.htm 

11 The habit of relying blindly on the SSN as an identifier also needs to be broken. See Lesley 
Mitchell, “New wrinkle in ID theft; Thieves pair your SS number with their name, buy with 
credit, never get caught; Social Security numbers a new tool for thieves,” The Salt Lake Tribune, 
June 6, 2004, at El. 

12 The term "system of records” is defined as “a group of any records under the control of any 
agency from which information is retrieved by the name of the individual or by some identifying 
number, symbol, or other identifying particular assigned to the individual.” 5 U.S.C. §552a(a). 

13 E-Government Act of 1002, Pub. L. 107-347, § 208(b)(1). Under the E-Government Act, an 
agency is required to perform a privacy impact assessment before it “developls] or procurels] 
information technology that collects, maintains, or disseminates information that is in an identi- 
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cess to a commercial database containing the same type of information that would 
be covered if the government itself were collecting it. 

Another approach, based on a bill that Senator Wyden introduced in the last Con- 
gress , 14 would be to require the government to perform an accounting of private sec- 
tor databases before using them. Under the Wyden proposal, a government agency 
that acquired access to databases containing personally identifiable information con- 
cerning U.S. citizens would be required to publish in the Federal Register a descrip- 
tion of the database, the name of the entity from which the agency obtained the 
database and the amount of the contract for use of the database. In addition, the 
agency would be required to adopt regulations that establish 

• the personnel permitted to access, analyze or otherwise use the database; 

• standards that govern the access to and analysis and use of such information; 

• standards to ensure that personal information accessed, analyzed and used is 
the minimum necessary to accomplish the government’s goals; 

• standards to limit the retention and re-disclosure of information obtained from 
the database; 

• procedures to ensure that such data is accurate, relevant, complete and timely; 

• auditing and security measures to protect against unauthorized access to or 
analysis, use or modification of data in the database; 

• applicable mechanisms that individuals may use to secure timely redress for 
any adverse consequences wrongly experienced due to the access, analysis or 
use of such database; 

• mechanisms, if any, for the enforcement and independent oversight of existing 
or planned procedures, policies or guidelines; and 

• an outline of enforcement mechanisms for accountability to protect individuals 
and the public against unlawful or unauthorized access to or use of the data- 
base. 

Agencies might also incorporate into their contract with commercial entities provi- 
sions that provide for penalties when the commercial entity sells information to the 
agency that the commercial entity knows, or should know, is inaccurate or when the 
commercial entity fails to inform the agency of corrections or changes to data in the 
database. 

The Intelligence Reform Act that Congress passed last December established 
guidelines for the government’s evaluation of Secure Flight plans that suggest a 
broader framework for use of data . 15 Congress could adopt similar guidelines for 
government agencies to follow before implementing any screening program that uses 
commercially available data. As an initial matter, all government screening pro- 
grams should be Congressionally authorized. This would ensure some degree of pub- 
lic accountability and Congressional oversight. In addition, all screening programs 
should be subject to regulations that include, at a minimum, the following elements: 

• procedures to enable individuals, who suffer an adverse consequence because 
the system determined that they might pose a security threat, to appeal the de- 
termination and correct any inaccurate data; 

• procedures to ensure that the databases the government uses to establish the 
identity of individuals or otherwise make assessments about individuals will not 
produce a large number of false positives or unjustified adverse consequences; 

• procedures to ensure that the search tools that the department or agency will 
use are accurate and effective and will allow the department or agency to make 
an accurate prediction of who may pose a security threat ; 16 

• sufficient operational safeguards to reduce the chance for abuse of the system; 

• substantial security measures to protect the system against unauthorized ac- 
cess; 


liable form” or “initiatlesl a new collection of information. . . .” § 208(b)(1)(A). A privacy impact 
assessment is required to address, “(I) what information is collected; (II) why the information 
is being collected; (III) the intended use of the agency of the information; (IV) with whom the 
information will be shared; (V) what notice or opportunities for consent would be provided to 
individuals regarding what information is collected and how that information is shared; (VI) 
how the information will be secured; and (VII) whether a system of records is being created 
under” the Privacy Act. § 208(b)(2)(B). 

14 S. 1484, 108th Cong. (1st Sess. 2003). 

15 Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. 108-458, § 4012(a). 

16 This provision is drawn from the Department of Homeland Security Appropriations Act, 
2005, Pub. L. 108-334, §552. 
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• policies that establish effective oversight of the use and operation of the system; 
and 

• procedures to ensure that the technological architecture of the system does not 
pose any privacy concerns. 

These approaches, all of which Congress has previously approved in similar con- 
texts, strike a balance between the government’s need for information and the pri- 
vacy interests of individuals. Adapting the Privacy Act and Fair Information Prin- 
ciples to government uses of commercial databases would go a long way toward clos- 
ing the unintended gap in privacy protection that exists under the current law. 

Regulation of Data Brokers 

Finally, Congress should consider whether there are gaps in the current sectoral 
laws that protect privacy and focus on the harms that can flow from use of inac- 
curate or misleading information. This is not about use of marketing data to send 
catalogues or sales offers. Rather, in the context where adverse consequences can 
result, Congress should apply to data brokers the Fair Information Practices that 
are the framework of the F air Credit Reporting Act and other privacy laws. 

As the law stands now, these Fair Information Practices apply only when data 
brokers collect and use information in a way that is governed by the Fair Credit 
Reporting Act. For instance, if a data broker sells personal information to a third 
party that uses the information to determine eligibility for insurance, the Fair Cred- 
it Reporting Act would apply and certain rights would attach to the individual to 
whom the information pertains. The individual would be able to obtain a copy of 
the report, challenge the accuracy of the data and correct any inaccurate informa- 
tion. The ability to do this is particularly important when a person can suffer ad- 
verse consequences — such as the denial of insurance — from the use of the personal 
information. But if the data broker sold that same information to an insurance com- 
pany for use in claims processing — in which case the individual might be denied re- 
imbursement under her insurance policy — the individual would not have any of 
those same rights . 17 

We note that Derek Smith, the Chairman and CEO of ChoicePoint, last year 
called for a national dialogue on privacy, to develop a policy framework for his com- 
panies and others. Specifically, Smith called for expanding the principles reflected 
in the FCRA: 

“We should agree that the consensual model is best to the maximum degree 
possible, understanding that law enforcement and national security uses may 
outweigh getting prior consent for certain information. By this I mean that indi- 
viduals should give permission (or not) at the time information is gathered and 
should agree to its use. Data should not be used for a different purpose unless 
new permission is obtained. However, we must recognize that public record data 
is, fundamentally, just that — public — and does not fit within the consensual 
model because of the current local, State, and Federal freedom of information 
acts. 

Everyone should have a right of access to data that is used to make decisions 
about them — subject to the same caveats about law enforcement and national 
security uses. In other words, expand the principles of the Fair Credit Reporting 
Act to all types of information: right to access, right to question the accuracy 
and prompt a review, and right to comment if a negative record is found to be 
accurate .” 18 

Conclusion 

Resolving these issues will require a broad-based and inclusive dialogue. We must 
strike a balance, but the current absence of a comprehensive legal framework for 
the collection, sale and use of sensitive, personal information is yielding harms that 
are made clear every day. The Center for Democracy and Technology looks forward 
to working with the Committee, with all of today’s witnesses, and with all stake- 
holders. We are not helpless in the face of the ongoing revolution in information 
technology. Through the policy process, we can decide whether there is “No Place 
to Hide.” 


17 Michael Hiltzik, Data Show Information Collector Can’t Be Trusted, Los Angeles Times, 
Mar. 3, 2005, at Cl. 

18 Derek V. Smith, ‘’Risk Revolution: The Threats Facing America and Technology’s Promise 
for a Safer Tomorrow” (Longstreet Press, 2004) 185. 
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Statement of Oliver I. Ireland, Attorney, Morrison & Foerster LLP; on 

Behalf of Visa U.S.A. Inc., Before the Subcommittee on Commerce, Trade, 

and Consumer Protection of the Committee on Energy and Commerce, 

United States House of Representatives, May 11, 2005 

Securing Consumers’ Data: Options Following Security Breaches 

Good morning Chairman Steams, Ranking Member Schakowsky, and Members of 
the Subcommittee. I am a partner in the law firm of Morrison & Foerster LLP, and 
practice in the firm’s Washington, D.C. office. I am pleased to appear before the 
Subcommittee on behalf of the Visa, U.S.A. Inc., to discuss the important issue of 
consumer information security. 

The Visa Payment System, of which Visa U.S.A. is a part, is the largest consumer 
payment system, and the leading consumer e-commerce payment system, in the 
world, with more volume than all other major payment cards combined. Visa plays 
a pivotal role in advancing new payment products and technologies, including tech- 
nology initiatives for protecting personal information and preventing identity theft 
and other fraud. 

Visa commends the Subcommittee for focusing on the important issue of informa- 
tion security. As the leading consumer electronic commerce payment system in the 
world, Visa considers it a top priority to remain a leader in developing and imple- 
menting technology, products, and services that protect consumers from the effects 
of information security breaches. As a result, Visa has long recognized the impor- 
tance of strict internal procedures to protect Visa’s members’ cardholder informa- 
tion, thereby to protect the integrity of the Visa system. 

Visa has substantial incentives to maintain strong security measures to protect 
cardholder information. The Visa system provides for zero liability to cardholders 
for unauthorized transactions. Cardholders are not responsible for unauthorized use 
of their cards. The Visa Zero Liability policy guarantees maximum protection for 
Visa cardholders against fraud due to information security breaches. Because the 
financial institutions that are Visa members do not impose the losses for fraudulent 
transactions on their cardholder customers, these institutions incur costs from 
fraudulent transactions. These costs are in the form of direct dollar losses from cred- 
it that will not be repaid, and also can be in the form of indirect costs attributable 
to the harm and inconvenience that might be felt by cardholders or merchants. Ac- 
cordingly, Visa aggressively protects the cardholder information of its members. 

Existing Federal Laws and Rules for Information Security 

Existing Federal laws and regulations also obligate financial institutions to pro- 
tect the personal information of their customers. Rules adopted under section 501(b) 
of the Gramm-Leach-Bliley Act of 1999 by the Federal banking agencies and the 
Federal Trade Commission (FTC) (GLBA 501(b) Rules) establish information secu- 
rity standards for the financial institutions subject to the jurisdiction of these agen- 
cies. Under the GLBA 501(b) Rules, financial institutions must establish and main- 
tain comprehensive information security programs to identify and assess the risks 
to customer information and then control these potential risks by adopting appro- 
priate security measures. 

Each financial institution’s program for information security must be risk-based. 
Every institution must tailor its program to the specific characteristics of its busi- 
ness, customer information and information systems, and must continuously assess 
the threats to its customer information and systems. As those threats change, the 
institution must appropriately adjust and upgrade its security measures to respond 
to those threats. 

However, the scope of the GLBA 501(b) Rules is limited. Many holders of sen- 
sitive, personal information are not financial institutions covered by the GLBA 
501(b) Rules. For example, employers and most retail merchants are not covered by 
the GLBA 501(b) Rules, even though they may possess sensitive information about 
consumers. 

Visa’s Cardholder Information Security Plan 

Because of its concerns about the adequacy of the security of information about 
Visa cardholders, Visa has developed and is implementing a comprehensive and ag- 
gressive customer information security program known as the Cardholder Informa- 
tion Security Plan (CISP). CISP applies to all entities, including merchants, that 
store, process, transmit, or hold Visa cardholder data, and covers enterprises oper- 
ating through brick-and-mortar stores, mail and telephone order centers, or the 
Internet. CISP was developed to ensure that the cardholder information of Visa’s 
members is kept protected and confidential. CISP includes not only data security 
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standards but also provisions for monitoring compliance with CISP and sanctions 
for failure to comply. 

As a part of CISP, Visa requires all participating entities to comply with the “Visa 
Digital Dozen” — twelve basic requirements for safeguarding accounts. These include: 
(1) install and maintain a working network firewall to protect data; (2) do not use 
vendor-supplied defaults for system passwords and security parameters; (3) protect 
stored data; (4) encrypt data sent across public networks; (5) use and regularly up- 
date anti-virus software; (6) develop and maintain secure systems and applications; 
(7) restrict access to data on a “need-to-know” basis; (8) assign a unique ID to each 
person with computer access; (9) restrict physical access to data; (10) track all ac- 
cess to network resources and data; (11) regularly test security systems and proc- 
esses; and (12) implement and maintain an overall information security policy. 

Payment Card Industry Data Security Standard 

Visa is not the only credit card organization that has developed security stand- 
ards. In order to avoid the potential for imposing conflicting requirements on mer- 
chants and others, in December of 2004, Visa, MasterCard, American Express, Dis- 
cover, and Diners Club collaborated to align their respective data security require- 
ments for merchants and third parties. Visa found that the differences between 
these security programs were more procedural than substantive. Therefore, Visa has 
been able to integrate CISP into a common set of data security requirements with- 
out diluting the substantive measures for information security already developed in 
CISP. Visa supports this new, common set of data security requirements, which is 
known as the Payment Card Industry Data Security Standard (PCI Standard). 

Neural Networks To Detect Fraud and Block Potentially Unauthorized 
Transactions 

In addition to the CISP program, which helps to prevent the use of cardholder 
information for fraudulent purposes, Visa uses sophisticated neural networks that 
flag unusual spending patterns for fraud and block the authorization of transactions 
where fraud is suspected. When cardholder information is compromised, Visa noti- 
fies the issuing financial institution and puts the affected card numbers on a special 
monitoring status. If Visa detects any unusual activity in that group of cards, Visa 
again notifies the issuing institutions, which begin a process of investigation and 
card re-issuance. These networks, coupled with CISP and Visa’s Zero Liability, pro- 
vide a high degree of protection from fraudulent credit card transactions to card- 
holders. 

Expansion of Existing Requirements 

Current protections notwithstanding, Visa believes that an obligation to protect 
sensitive, personal information, similar to the GLBA 501(b) Rules, should apply 
broadly so that all businesses that maintain sensitive, personal information will es- 
tablish information security programs. Because consumer information knows no 
boundaries, it is critical that this obligation be uniform across all institutions in all 
jurisdictions. 

Security Breach Notification 

Closely related to the issue of information security is the question of what to do 
if a breach of that security occurs. Visa believes that where the breach creates a 
substantial risk of harm to consumers that the consumers can take action to pre- 
vent, the consumers should be notified about the breach so that they can take ap- 
propriate action to protect themselves. Both Federal and California law already ad- 
dress this issue. California law currently requires notice to individuals of a breach 
of security involving their computerized personal information. The California law fo- 
cuses on discrete types of information that are deemed to be sensitive, personal in- 
formation. The statute defines sensitive, personal information as an individual’s 
name plus any of the following: Social Security Number, driver’s license number, 
California identification card number, or a financial account number, credit or debit 
card account number, in combination with any code that would permit access to the 
account. The California law includes an exception to the notification requirement 
when this personal information has been encrypted. The California law only re- 
quires notice to be provided when personal information is “acquired by an unauthor- 
ized person.” Other states recently have enacted or are considering security breach 
notification laws; however, the details of some of the laws differ. 

In March, the Federal banking agencies issued final interagency guidance on re- 
sponse programs for unauthorized access to customer information and customer no- 
tice (Guidance). The Guidance applies to all financial institutions that are subject 
to banking agency GLBA 501(b) Rules and requires every covered institution that 
experiences a breach of security involving sensitive customer information to: (1) no- 



116 


tify the institution’s primary Federal regulator; (2) notify appropriate law enforce- 
ment authorities consistent with existing suspicious activity report rules; and (3) no- 
tify its affected customers where misuse of the information has occurred or is rea- 
sonably possible. 

The keen interest that states have shown to legislate on the issue of security 
breach notification emphasizes the need for a single national standard for security 
breach notification in order to avoid confusion among consumers as to the signifi- 
cance of notices that they receive and among holders of information about con- 
sumers as to their notification responsibilities. In addition, any legislation on secu- 
rity breach notification should recognize compliance with the Guidance as compli- 
ance with any notification requirements. 

Visa believes that a workable notification law that would require entities that 
maintain computerized, sensitive personal information to notify individuals upon 
discovering a significant breach of security of that data should be risk-based to 
avoid inundating consumers with notices where no action by consumers is required. 
As FTC Chairwoman Majoras recently testified to Congress, notices should be sent 
only if there is a “significant risk of harm,” because notices sent when there is not 
a significant risk of harm actually can cause individuals to overlook those notices 
that really are important. 

Thank you, again, for the opportunity to present this testimony today. I would be 
happy to answer any questions. 


Response to Written Questions Submitted by Hon. Daniel K. Inouye to 

Paul B. Kurtz 

Question. Companies often protest against regulation by maintaining that the 
market will address the problem and correct it. However, in the case of ChoicePoint 
and other information brokers, those with the buying power are not adversely af- 
fected by poor security and thus do not demand it from the information suppliers. 
Can either of you comment on the economics of security and how they apply, or not 
apply as the case may be, to the information-broker industry? When should govern- 
ment intervene? 

Answer. In determining the Government’s role with regard to cyber security regu- 
lation, the President’s National Strategy to Secure Cyber Space is an appropriate 
place to start. The National Strategy provides clear policy guidance for the Federal 
Government’s role: “In general, the private sector is best equipped and structured 
to respond to an evolving cyber threat. There are specific instances, however, where 
Federal Government response is most appropriate and justified.” The Strategy goes 
on to describe the Government’s role in the private sector: “Externally, a govern- 
ment role in cybersecurity is warranted in cases where high transaction costs or 
legal barriers lead to significant coordination problems; cases in which governments 
operate in the absence of private sector forces; resolution of incentive problems that 
lead to under-provisioning of critical shared resources; and raising awareness.” 

According to this description, it seems that information brokers may fall into the 
narrow category where there is an absence of private sector forces prompting cyber 
security. As such, it appears appropriate for the Federal Government to intervene. 

What makes regulation of this issue complex is the threat to unsecured, sensitive 
personal information does not stop with information brokers. Recent security 
breaches have occurred in a variety of organizations in regulated and non-regulated 
industries, ranging from banks and hospitals, to educational institutions and large 
employers. 

We believe there are five key principles that should be included in legislation to 
address this issue. 

1. Federal Pre-emption. Any new law should establish a national data breach 
notification “floor” for unauthorized access to unencrypted personal information 
while enabling State attorneys general to prosecute the Federal law so long as 
the U.S. Attorney General is notified. 

Nine states have already passed legislation requiring notification of unauthor- 
ized access to unencrypted personal information. Without Federal pre-emption, 
we will face a web of potentially conflicting breach notification requirements. 

2. Scope. The scope of the breach notification bill should apply to any agency 
or person, as defined in title 5 of the U.S. Code, who owns or licenses computer- 
ized data containing sensitive, personal information and should not be limited 
to data brokers. In developing this legislation, it is important not to duplicate 
requirements set forth under existing Federal law such as the Gramm-Leach- 
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Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), or other relevant Fed- 
eral legislation. 

Legislation should address “gaps” in existing legislation related to the security 
of personal information. Recent security breaches have occurred in a variety of 
organizations, ranging from data brokers, banks and hospitals, to educational 
institutions and large employers. 

3. Reasonable Security Practices. Reasonable security practices encompass a 
combination of technology, policy, and expertise. Consistent with existing State 
law, organizations that own or license computerized data containing personal 
information should implement and maintain reasonable security measures 
based on widely accepted voluntary industry standards or existing Federal law. 
Security Practices. The term “security practices” shall mean reasonable security 
and notification procedures and practices appropriate to the nature of the infor- 
mation to protect sensitive, personal information from unauthorized access, de- 
struction, use, modification or disclosure. 

Certification. Congress should consider self-certification to help safeguard sen- 
sitive, personal information. In the case of self-certification, covered entities 
would be required to self-certify that they have met a widely adopted standard 
in order to safeguard sensitive, personal information. If a breach occurs and it 
is clear that reasonable measures were not taken to safeguard sensitive, per- 
sonal information, then the covered entity involved would be subject to criminal 
prosecution by the Department of Justice. Congress should also consider an op- 
tion for certification by a third-party, coupled with liability protection to foster 
protection. 

Encryption. Congress should encourage the use of encryption technologies with- 
out requiring it, similar to California’s SB 1386. Encryption is defined as “the 
protection of data in storage or in transit using a NIST approved encryption al- 
gorithm implemented within a FIPS 140 validated cryptographic module com- 
bined with the appropriate key management mechanism to protect the confiden- 
tiality and integrity of associated cryptographic keys in storage or in transit.” 

Existing voluntary standards include: 

International Standards Organization (ISO) 17799 

Control Objectives for Information and Related Technology (COBiT) 

British Standard (BS) 7799 

Information security governance framework issued by the National Cyber Se- 
curity Summit Task Force in April 2004 

Existing regulatory standards include : 

Fair Credit Reporting Act ( http :/ / www.ftc.gov / os / statutes / fcra.htm#607) 

Gramm Leach Bliley, Safeguards Rule 

FDA, Title 21, Subchapter A, Protection of Privacy 

Basel II, Revised International Capital Framework 

Health Insurance Portability and Accounting Act (HIPAA) Security Rule 

4. Definition of “breach.” A breach of unencrypted personal information should 
be defined so that it encourages the implementation of reasonable security 
measures and minimizes false positives. 

5. Regulatory Authority. The Federal Trade Commission is the most appropriate 
authority to oversee breach notification on a civil level and refer criminal cases 
to the Department of Justice. Wherever possible, the FTC should be directed 
to adopt existing standards, rather than to create new standards. 

Regarding the economics of security, a recent CRS report states that investments 
in cyber security cannot be easily analyzed in terms of return on investment, since 
they do not contribute to income in a measurable way. While such investments may 
not contribute directly to income, their impact on the way an organization does busi- 
ness is immeasurable. Information is the lifeblood of today’s economy and protecting 
that information — maintaining its confidentiality while assuring its accessibility and 
reliability — are of the utmost importance. Cyber security is more than just pro- 
tecting names and Social Security numbers held by data brokers. The economy de- 
pends on the free flow of information and we need to be able to trust that informa- 
tion to be what it purports to be. The issues we hear, seemingly on a day to day 
basis — spyware, identity theft, phishing, breach notification — are all symptoms in 
the larger problem of unsecured information systems. We encourage the Congress 
to take a more holistic approach to the issue of cyber security, rather than reacting 
to each problem. In this context, CSIA believes that there are a number of incen- 
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tives that have not yet been investigated such as legislative safe harbors, tax incen- 
tives, the use of cyber insurance, or other motivating factors that would promote the 
use and development of stronger security measures by information brokers. 

Finally, there is very little economic data available to determine the costs of cyber 
security attacks and vulnerabilities. Developing cost estimates requires reporting of 
incidents as well as a common methodology of breaking down lost productivity, sys- 
tem down time, identifying vulnerabilities, testing patches, and personnel hours. 
Federally funded research in this area would be of great value. 


Response to Written Questions Submitted by Hon. Bill Nelson to 
Jennifer T. Barrett 

Question 1. Does Acxiom merely compile, store, and sell sensitive consumer infor- 
mation? Or does your company perform analysis of such information. Can you de- 
scribe what this analysis involves? And what sorts of analysis is your company per- 
forming generally for law enforcement, such as the FBI? 

Answer. Acxiom does compile consumer information, including SSNs and Driver’s 
License Numbers (DL#s), in order to develop our fraud management products. The 
“analysis” performed in building such products is limited to determining how to ac- 
curately integrate or combine the multiple sources of information. 

Our verification services only validate that the information our client has ob- 
tained from the consumer is correct. There is no “analysis” performed in providing 
those services. Rather, the record being verified is compared to the information 
Acxiom already possesses and a “match” or “no-match” indicator is returned. 

Only law enforcement and the internal fraud departments of large financial insti- 
tutions and insurance companies have access to additional information in connection 
with these verification services. The additional information made available to this 
select group of users includes such information as previous addresses, additional 
SSNs or DL#s associated with the particular consumer. Again, no “analysis” is per- 
formed by Acxiom. 

Acxiom’s background screening products utilize field researchers who do in-per- 
son, real-time research against public records and make calls to past employers to 
verify the information provided by the consumer. Acxiom does not pre-aggregate in- 
formation for these products. As a result, the compilation of this product is only 
done in preparation of the actual report and the file is stored only for purposes of 
compliance with the FCRA. 

Question 2. What is the procedure for becoming an Acxiom client? When someone 
becomes a client, does that client have access to all of your company’s databases for 
any purpose? For example, if an attorney becomes an Acxiom client to help locate 
a witness, can that attorney also use Acxiom’s databases for personal or other rea- 
sons? How does your company monitor this? 

Answer. Acxiom sells its fraud management products exclusively to very large fi- 
nancial services and insurance clients and law enforcement agencies. These products 
are not sold to individuals, such as attorneys. 

The sales cycle for these types of clients is typically several months long and in- 
volves many in-person visits and customized interfaces between systems. The prob- 
lem the client is trying to address with the data, and the data to be provided by 
Acxiom, are fully vetted by Acxiom’s product, legal and compliance teams. Once the 
appropriate Acxiom products for a particular solution are determined, the client en- 
ters into a signed written agreement with terms and conditions of use of the data. 

Once a formal relationship is established, a client is permitted to utilize only the 
data products for which it has been approved and granted a license. 

A log is kept of every transaction made by Acxiom’s clients to our fraud manage- 
ment products which provide access to sensitive information. These are used for bill- 
ing purposes and periodically audited/reviewed by the product team. 

Our background screening products, which are regulated by the Fair Credit Re- 
porting Act, are available only to employers and landlords. All clients using these 
products are credentialed with such agencies as the Better Business Bureau and, 
for those who receive any sensitive information, onsite inspections of potential cli- 
ents also are conducted by Acxiom. Only pre-employment credit reports provide sen- 
sitive information that employers or landlords do not already possess. 

Question 3. Can you explain how Acxiom organizes and maintains its sensitive 
consumer information? Is all information — regulated or unregulated — contained in 
one database? If information is maintained separately, can information from one 
database make its way into another database? If not, how does Acxiom prevent in- 
formation from migrating from one database into others? 
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Answer. Acxiom builds distinct databases to support each of its different data 
product lines. The only products Acxiom offers that contain sensitive consumer in- 
formation are its fraud management products and background screening services. 

Although the fraud management products are built from both regulated and un- 
regulated data, the entire database is maintained and utilized as if it was all regu- 
lated. 

Different Acxiom teams are responsible for the creation and maintenance of each 
distinct product line and the databases from which they are built. Only the appro- 
priate team has access to the data within each database. This strategy prevents the 
unintentional migration of information from one database to another. 

Acxiom voluntarily submits itself to external annual audits of its information 
practices for the purpose of reviewing the data and data sources utilized in each 
product line and to assure compliance with our own principles, source contacts and 
applicable laws and regulations. 

The background screening reports are provided by a separately run subsidiary of 
Acxiom and are fully regulated under the Fair Credit Reporting Act. The reports 
are compiled on an “as needed” basis by associates and field agents who are em- 
ployed by that subsidiary and who are focused only on that business. The informa- 
tion in those reports is not stored in a database and is not utilized in any other 
area of the company. 

Question 4. Some information brokers have cited the difficulty in correcting con- 
sumer files, claiming that the inaccurate information is generated from public 
records. But this addresses only part of the issue. One problem is that information 
brokers may place information regarding one person into another person’s file. This 
is particularly common with persons who have the same name. What steps does 
Acxiom take to try to avoid this problem? 

Answer. Acxiom utilizes all available identifying information in consolidating the 
information from various sources to build the company’s data products. In the case 
of individuals with the same or similar names, the use of address, telephone, date 
of birth and SSN, if available, will assist in accurately differentiating between the 
two persons. No one element is used to consolidate information. Rather a combina- 
tion of elements are utilized, reducing the chance that an error or a similarity in 
one element will result in an error. We also conduct quality audits of consolidation 
procedures to help identify problems and to refine our consolidation algorithms. 

Access to increased information reduces chances for errors. Should some of these 
elements of differentiating data become unavailable to the information services in- 
dustry, the accuracy of the consolidation may suffer. 

Question 5. To what extent does Acxiom sell sensitive consumer information to 
Federal, State, and local law enforcement agencies. Does Acxiom have any limita- 
tions on the sale of information to law enforcement entities? 

Answer. Acxiom has only one contract with the Federal Government which in- 
volves the sale of sensitive information. We impose similar restrictions on the sale 
of sensitive information to government agencies as we do for the fraud departments 
of large financial institutions and insurance companies. Examples of such restric- 
tions include: 

• Sensitive data provided to the government may only be used to verify the accu- 
racy of personal information for the purposes of preventing fraud or to locate 
individuals. 

• Driver’s License data must be used by the government in compliance with the 
Drivers Privacy Protection Act for the verification of accuracy of personal infor- 
mation. If the personal information is incorrect, the driver’s license data may 
be used to obtain the correct information, but only for the purpose of preventing 
fraud. 

• The data provided cannot be stored in any other form or used for any other pur- 
pose unless express written permission is received from Acxiom. 

Question 6. Please describe the procedures governing who can purchase sensitive 
consumer information from Acxiom. Please tell us about the types of holes Acxiom 
had in its old process and how the company is now plugging those holes. 

Answer. Acxiom sells our fraud management product exclusively to large compa- 
nies and has only several dozen clients for these products. As described earlier, only 
the fraud departments of large financial institutions and insurance companies and 
government agencies have access to this investigative tool which provides sensitive 
information. 

We do not believe we have any holes in our current process for screening clients, 
as that process has never been compromised. However, after the incidents involving 
ChoicePoint and Lexis-Nexis, Acxiom undertook a review of all our client 
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credentialing procedures, including those procedures that apply to clients with ac- 
cess to only non-sensitive data. As a result of that review, which will conclude next 
month, Acxiom may implement additional credentialing procedures if such proce- 
dures are determined to be appropriate. 

While the security breach Acxiom suffered in 2003 did not involve any of Acxiom’s 
information products and did not result in access to any of Acxiom’s sensitive data, 
we did make substantial technical changes in how files are transferred to and from 
Acxiom by our clients, to prevent such an incident from reoccurring. 

Question 7. Does Acxiom favor giving consumers wider access to information that 
the company stores about them? This is a central principle of the legislation I have 
introduced. What information should companies like Acxiom make available to con- 
sumers? 

Answer. Acxiom’s fraud products and the background screening products are the 
only products which contain sensitive information. Since 1997, Acxiom has volun- 
tarily provided consumers access to the information Acxiom has about them in the 
company’s fraud management and directory products. We also provide consumer ac- 
cess to the company’s background screening product, pursuant to the requirements 
of the F air Credit Reporting Act. 

Question 8. Does Acxiom perform any audits of its systems to ensure accuracy of 
the sensitive consumer information that it compiles? 

Answer. Acxiom is constantly auditing its data compilation processes, and the 
quality of the files it obtains, in order to assure maximum possible accuracy. These 
audits include manual reviews of the data, comparisons to other sources, and 
verification of the company’s consolidation procedures. Acxiom obtains sensitive data 
from only a few select sources with which Acxiom has worked for years. 

Question 9. What auditing does Acxiom perform on its business and government 
clients? Are clients required to type in a specific justification for each search of per- 
sonal information, or do they just see a “click through” agreement? How long are 
audit logs maintained? Has auditing ever revealed wrongdoing that led to a client 
being prosecuted for misusing personal information? 

Answer. Acxiom does not allow access to data products containing sensitive infor- 
mation via a “click through” agreement. As described above, the problem the client 
is trying to address with the data, and the data to be provided by Acxiom, are fully 
vetted by Acxiom’s product, legal and compliance teams. Once the appropriate 
Acxiom products for a particular solution are determined, the client enters into a 
signed written agreement with terms and conditions of use of the data. 

Acxiom’s practice is to maintain audit logs as described above for our fraud man- 
agement products for at least 7 years. 

We have never had an audit reveal wrongdoing that led to a client being pros- 
ecuted for misusing personal information. 

Question 10. To which Federal Government agencies does Acxiom sell sensitive 
consumer information? 

Answer. Acxiom currently provides sensitive data to only one Federal law enforce- 
ment agency engaged in homeland security efforts. 

Question 11. Does your company compile information garnered from warranty 
cards filled out by consumers? If so, what companies generally supply you with this 
information and how is this information stored and used? 

Answer. Acxiom does not compile information garnered from warranty cards, but 
we do license general lifestyle data from sources that do. That information is only 
used for marketing purposes. 

Question 12. Please give a complete listing of the types of personal information 
that your company maintains in all of its product lines, including information based 
on DNA and biometrics. 

Answer. Acxiom possesses absolutely no information based on, derived from, or in 
any way related to DNA or biometrics. 

Marketing Products — Acxiom develops and maintains databases containing infor- 
mation on households in the U.S. for companies to use in their marketing and cus- 
tomer service programs. These databases are developed from many different 
sources, including: 

Public Record and Publicly Available Information — Telephone directories, 
website directories and listings, real property recorder and assessor information, 
historical drivers license information and historical motor vehicle information. 
Data from Other Information Providers — Demographic information, survey in- 
formation and summary buyer information. 



121 


These databases do not include credit information, medical information, Social Se- 
curity Number (or other related information) or personally identifiable information 
about children. 

Reference Products — Acxiom develops and maintains databases containing infor- 
mation about many individuals and households in the U.S. for directory reference 
and fraud management purposes and provides online links to other information pro- 
vider services for use by qualified businesses and government agencies for lawful 
and ethical purposes. These databases are developed from many different sources, 
including: 

Public Record and Publicly Available Information — Telephone directories; real 
property recorder and assessor information; historical drivers license informa- 
tion; current drivers license information, where allowed by law; historical motor 
vehicle information; current motor vehicle information, where allowed by law; 
deceased information; and other suppression information. 

Data from Other Information Providers — Identifying information only (header 
data) from consumer reporting agencies, where allowed by law, and information 
about household characteristics collected and permissioned by the consumer. 

These databases and access to other information provider services include finan- 
cial information, Social Security Number and other related information where per- 
mitted by law. This information is provided only to qualified businesses primarily 
in the finance, insurance, mortgage, real estate and retail industries for the purpose 
of risk management including verifying information about customers, issuing mort- 
gages, speeding transactions, employment screening and reducing the chance of 
fraud. This information is also provided to government agencies for the purposes of 
risk management including verifying information, employment screening, national 
security and assisting law enforcement. 

In order to protect the use of this information, Acxiom does not provide any infor- 
mation, whether public or non-public, to individuals. Acxiom also does not allow our 
clients to make any non-public information available to an individual. Acxiom does 
allow our clients to make only public record and publicly available information 
available to individuals in the form of commonly used and accepted real estate re- 
search tools and public listing searches via the Internet. 


Response to Written Questions Submitted by Hon. Bill Nelson to 
Kurt P. Sanford 

Question 1. Can you explain how LexisNexis organizes and maintains its sensitive 
consumer information? 

Answer. LexisNexis stores all data in electronic files. Individual records comprise 
databases which are distinguished by source. The LexisNexis system has the capa- 
bility to search individual sources or search multiple data sources simultaneously 
in group files, which is a grouping of discrete data files from multiple sources. 

At Seisint, data from multiple sources is generally combined into a group file. 
Even though data is combined into a group file, Seisint retains the ability to distin- 
guish the source from which each record in the group file originated. 

Question la. Is all information — regulated or unregulated — contained in one data- 
base? 

Answer. No. In a few limited instances LexisNexis has successfully combined data 
from multiple sources into a group file or report, allowing a single search to be run 
on the resulting group file or report. However, regulated data either separately or 
combined with non-regulated data still requires a declaration of permissible use be- 
fore access is permitted. 

Similarly, at Seisint, regulated data either separately or combined with non-regu- 
lated data still requires a declaration of permissible use before access is permitted. 

Question lb. If information is maintained separately, can information from one 
database make its way into another database? 

Answer. Information from one database (source file) cannot migrate into another 
database due to system constraints, permissions, data file and record structure. 
However, in a few limited instances we have purposefully combined data into group 
files and reports for ease of use by our customers, as described above. 

Question lc. If not, how does LexisNexis prevent information from migrating from 
one database into others? 

Answer. N/A. 

Question 2. Some information brokers have cited the difficulty in correcting con- 
sumer files, claiming that the inaccurate information is generated from public 
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records. But this addresses only part of the issue. One problem is that information 
brokers may place information regarding one person into another person’s file. This 
is particularly common with persons who have the same name. What steps does 
LexisNexis take to try to avoid this problem? 

Answer. To be linked, data must match on multiple data elements such as name 
and Social Security number, or name, address and telephone number, or some simi- 
lar combination of multiple data elements. We investigate reported mismatches. If 
we confirm an error, we take steps to correct the error. If it is our error we correct 
it, otherwise we direct the consumer to the originating source so that consumer can 
pursue correction directly with the source. 

Question 3. To what extent does LexisNexis sell sensitive consumer information 
to Federal, State, and local law enforcement agencies? 

Answer. The vast majority of information available through LexisNexis comes 
from public records, court decisions, statutes, and other open source publications 
like newspapers, periodicals, and directories. “Sensitive information” on LexisNexis 
is limited to full Social Security numbers obtained from nonpublic sources such as 
credit headers, in accordance with both the Fair Credit Reporting Act (FCRA) and 
the privacy provisions of the Gramm-Leach-Bliley Financial Services Modernization 
Act (GLBA), and drivers license numbers obtained from State departments of motor 
vehicles in compliance with Federal and state implementations of the Drivers Pri- 
vacy Protection Act (DPPA). 

Sensitive information, as defined above, is made available to Federal, State, and 
local law enforcement agencies where such agencies certify that their access is in 
compliance with and expressly permitted under the provisions of the applicable 
laws. 

Question 3a. Does LexisNexis have any limitations on the sale of information to 
law enforcement entities? 

Yes. Law enforcement use of regulated data is limited to only those uses specifi- 
cally permitted under the GLBA and DPPA. 

Question 4. Please describe the procedures governing who can purchase sensitive 
consumer information from LexisNexis. 

Answer. Access to sensitive information is limited to those customers with a per- 
missible purpose under DPPA or GLBA. Prior to entering into a contract with 
LexisNexis, a customer must disclose its intended purpose for the data, which must 
correspond to one or more of the permissible purposes under the GLBA and/or the 
DPPA. In addition, the customer must qualify as an authorized user and must cer- 
tify that it has one of a limited number of authorized uses. LexisNexis has the right 
to review and audit the customer’s use to ensure compliance with terms of the 
agreement. 

Question 4a. Please tell us about the types of holes LexisNexis had in its old proc- 
ess and how the company is now plugging those holes. 

Answer. The security incidents we uncovered primarily involved unauthorized 
persons misusing IDs and passwords of legitimate Seisint customers. As a result, 
we have enhanced our business practices and policies involving the issuance and ad- 
ministration of customer IDs and passwords. These include: 

• Changing customer password security processes to require that passwords for 
both system administrators and users be changed at least every 90 days; 

• Suspending customer passwords of system administrators and users that have 
been inactive for 90 days; 

• Suspending customer passwords after five unsuccessful log in attempts and re- 
quiring them to contact Customer Support to ensure security and appropriate 
reactivation; and 

• Requiring that system administrators review the list of employees issued IDs 
and passwords to ensure that access is terminated when an employee leaves the 
company. 

Question 5. Does LexisNexis perform any audits of its systems to ensure accuracy 
of the sensitive consumer information that it compiles? 

Answer. LexisNexis employs a number of procedures to test the accuracy of sen- 
sitive information received and to test the accuracy of this data prior to making the 
data available to customers. Accuracy is measured by determining whether the data 
received matches the data in the source document or record. 

LexisNexis only obtains data from known, reputable sources. Credit header data 
is obtained directly from the originating credit bureau, not through brokers or other 
third parties. 

• We receive the most current data that the supplier can provide; 
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• Any questions arising regarding the accuracy of the content delivered to 
LexisNexis are resolved quickly and effectively; 

• Data is delivered in the same, mutually agreed upon format, thereby maintain- 
ing the integrity of the data conversion process and minimizing the risk of con- 
version errors; 

• We respond to any questions regarding data accuracy brought to our attention 
by consumers or others; and 

• Any updates, additions, or changes will be received from the supplier. 

The data conversion process is itself subject to a series of system checks. The data 
is run through the conversion process where computer systems and software check 
for conformance with formatting specifications. Deviations, anomalous data, and 
data omissions are noted and brought to the attention of the appropriate LexisNexis 
personnel for verification, review, or remediation with the data supplier. 

Question 6. What auditing does LexisNexis perform on its business and govern- 
ment clients? 

Answer. LexisNexis has established systems that allow us to monitor usage and 
identify abnormal usage patterns. When abnormal usage is discovered, access is 
shut off and the use investigated. 

Question 6a. Are clients required to type in a specific justification for each search 
of personal information, or do they just see a “click through” agreement? 

Answer. LexisNexis does provide electronic access to applicable terms and condi- 
tions on use for all users. These terms and conditions keep users informed of their 
obligations under the written agreement. 

In addition, LexisNexis employs a series of electronic notices and responses to de- 
termine whether users have a legally permissible purpose for accessing legally re- 
stricted, personal information such as credit headers subject to restrictions on use 
under the privacy provisions of the GLBA or driver’s license records restricted under 
the DPPA. These notices provide users with the permissible purposes authorized 
under the applicable statutes. Unless the user indicates a specific, enumerated per- 
missible purpose, access is denied. 

Users are given notice that records of their use of these materials is subject to 
recordkeeping requirements of applicable Federal and State laws and of data sup- 
pliers. Records are maintained of the user ID, permissible purpose, date, and time 
of the search. 

Question 6b. How long are audit logs maintained? 

Answer. In accordance with the requirements of the DPPA records of the identity 
of the user and of the applicable permitted use must be maintained for at least 5 
years for searches involving information covered by that statute. 

Question 6c. Has auditing ever revealed wrongdoing that led to a client being 
prosecuted for misusing personal information? 

Answer. We have identified instances where it appeared from searching patterns 
that customers could have been misusing personal information. In those instances 
system access was either suspended or modified to avoid the possibility of improper 
use. 

Question 7. To which Federal Government agencies does your company sell sen- 
sitive consumer information? 

Answer. LexisNexis works with virtually every agency in the Federal Govern- 
ment. Some of our customers include: 

• Homeland Security agencies 

• Law enforcement agencies 

• Intelligence agencies 

• Entitlements agencies 

• Regulatory agencies 

• Revenue agencies 

Question 8. Does your company compile information garnered from warranty 
cards filled out by consumers? 

Answer. No. 

Question 8a. If so, what companies generally supply you with this information and 
how is this information stored and used? 

Answer. N/A. 

Question 9. Please give a complete listing of the types of personal information that 
your company maintains in all of its product lines, including information based on 
DNA and biometrics. 
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Answer. The information maintained by LexisNexis falls into the following three 
general classifications: public record information, publicly available information, and 
non-public information. 

Public record information. Public record information is information originally ob- 
tained from government records that are available to the public. Real estate records, 
court records, and professional licensing records are examples of public record infor- 
mation collected and maintained by the government for public purposes, including 
dissemination to the public. 

Publicly available information. Publicly available information is information that 
is available to the general public from non-governmental sources. Telephone direc- 
tories are an example of publicly available information. 

Non-public information. Non-public information is information about an indi- 
vidual that is not obtained directly from public record information or publicly avail- 
able information. This information comes from proprietary or non-public sources. 
Non-public data maintained by LexisNexis consists primarily of information ob- 
tained from driver’s license records, motor vehicle records or credit header data. 
Credit header data is the non-financial identifying information located at the top of 
a credit report, such as name, current and prior address, listed telephone number, 
Social Security number, and month and year of birth. 

LexisNexis does not collect or distribute personal financial information such as 
credit card account information or personal medical records. LexisNexis does not col- 
lect or maintain either DNA or biometric data. 
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